Lucene search
K

32854 matches found

Snyk
Snyk
added 2026/04/16 9:21 p.m.7 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs usin...

5.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:21 p.m.8 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting...

5.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:21 p.m.3 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators...

5.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:19 p.m.9 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the validateScriptFileForShellBleed function. An attacker can cause the preflight analysis to inspect a different file than the one tha...

2.9CVSS5.8AI score0.00079EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:18 p.m.6 views

Command Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the Custom MCP configuration in http://localhost:3000/canvas. An attacker can execute arbitrary commands on the underlying operating system by supplying crafted argument...

9.9CVSS6.3AI score0.01987EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 9:16 p.m.5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the gettemplate function. An attacker can access arbitrary files readable by the process by supplying a specially crafted URI with a double-slash prefix, which bypasses path normalization checks. Note: This is...

8.7CVSS6.5AI score0.00361EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:14 p.m.4 views

Directory Traversal

Overview com.github.junrar:junrar is a rar decompression library in plain java. Affected versions of this package are vulnerable to Directory Traversal via the createDirectory and createFile methods in LocalFolderExtractor module. An attacker can write arbitrary files to sibling directories by...

7.1CVSS6.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:10 p.m.8 views

Timing Attack

Overview mojic is an Obfuscate C source code into encrypted, password-seeded emoji streams. Affected versions of this package are vulnerable to Timing Attack in the getDecryptStream process. An attacker can bypass file integrity checks by exploiting timing discrepancies in the HMAC verification,...

5.7CVSS6AI score0.00108EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:9 p.m.10 views

Improper Validation of Unsafe Equivalence in Input

Overview @node-oauth/oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the token process. An attacker can obtain...

8.2CVSS5.8AI score0.00259EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.5 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the Utf8GraphQLParser parser. An attacker can cause the application to terminate unexpectedly and disrupt all active services by submitting a crafted GraphQL document with deeply nested selection sets, object...

9.1CVSS5.8AI score0.00902EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:9 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.7AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.8AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.7AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.8AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:8 p.m.7 views

Directory Traversal

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Directory Traversal in the repository boundary validation, due to reliance on string prefix checks for resolved absolute paths. An attacker...

8.3CVSS6.4AI score0.00324EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:0 p.m.6 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in redactval, whose secret value redaction sets maxdepth=1 and therefore does not properly extend to values in nested JSON objects. An attacker can see such nested JSON values responses...

6.3CVSS5.4AI score0.00421EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:45 p.m.4 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl function in the webhook add-on. An attacker can access internal resources by supplying...

5.9CVSS5.7AI score0.00275EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:44 p.m.8 views

Allocation of Resources Without Limits or Throttling

Overview mcp-framework is a Framework for building Model Context Protocol MCP servers in Typescript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the readRequestBody function. An attacker can exhaust system memory and cause a server...

8.7CVSS5.8AI score0.00495EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:43 p.m.4 views

Incorrect Authorization

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Incorrect Authorization in the user API endpoint due to insufficient restriction on the scope of edits. An attacker can gain elevated...

8.8CVSS5.8AI score0.00391EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:43 p.m.3 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the project.edit permission. A user can access internal network resources and obtain up to 200 character...

5.3CVSS5.8AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:43 p.m.4 views

Symlink Attack

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Symlink Attack in the ZIP download. An attacker can access arbitrary files outside the intended repository by exploiting symlink traversal...

8.5CVSS5.9AI score0.00465EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 8:42 p.m.8 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the InboxHandlingService. An attacker can access sensitive information such as personal data, citizen identifiers, and case details by viewing application logs that contain full inbox...

7.1CVSS5.8AI score0.00366EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:41 p.m.5 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the screenshot upload, due to improper enforcement of domain restrictions after redirects. An attacker c...

7.6CVSS5.7AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:41 p.m.3 views

Arbitrary File Upload

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Arbitrary File Upload in the backup restoration, due to insufficient filtering of configuration files. An attacker with access to create...

8CVSS6.1AI score0.00708EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/16 8:41 p.m.3 views

Directory Traversal

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Directory Traversal via the translation memory API when unintended endpoints are exposed without proper access control. An attacker can acce...

6.9CVSS6.4AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:41 p.m.5 views

Missing Authorization

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Missing Authorization in the translation memory API due to unintended endpoints lacking proper access control. An attacker can gain...

5.3CVSS5.7AI score0.00236EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:41 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the API for pending tasks due to missing verification of user access. An attacker can...

4.9CVSS5.7AI score0.00221EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 6:31 p.m.5 views

Incorrect Authorization

Overview silverstripe/assets is an asset module required component of SilverStripe Framework. Affected versions of this package are vulnerable to Incorrect Authorization via the DBFile::getURL process. An attacker can gain unauthorized access to protected files by exploiting the way access grants...

6.9CVSS5.6AI score0.00398EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 6:31 p.m.3 views

Insufficient Entropy

Overview Affected versions of this package are vulnerable to Insufficient Entropy due to insufficient randomness in the hash seed generation process. An attacker can cause excessive CPU consumption by submitting specially crafted XML documents that trigger hash collisions. Remediation Upgrade exp...

8.7CVSS5.8AI score0.00379EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 3:31 p.m.4 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to JWT Tokens being embedded inside workload object in task logs. An attacker can gain unauthorized access to sensitive information by viewing log files containing JWT tokens. This...

7.5CVSS5.7AI score0.00739EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 3:31 p.m.12 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the example code in examplexcom. Unsafe pattern of reading value from xcom could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Note: Vendor...

8.1CVSS6.1AI score0.00579EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 2:36 p.m.4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the update process in the /payment/api/editable/update endpoint. An attacker can overwrite existing PHP payment hook files with arbitrary code by sending crafted requests, which are then executed during payment...

10CVSS6AI score0.01941EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:29 p.m.3 views

Directory Traversal

Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Directory Traversal via the dirList.path function when directory listing is enabled. An attacker can access directory listings outside the configured static root ...

6.9CVSS6.4AI score0.00506EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:9 p.m.5 views

Improper Handling of URL Encoding (Hex Encoding)

Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via the handling of percent-encoded path separators in the fastifyStatic function. This creates a mismatch between...

8.2CVSS5.7AI score0.00398EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 8:37 a.m.4 views

Improper Handling of Length Parameter Inconsistency

Overview Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency in the receivexattr function when it relies on an untrusted length value during a qsort call. An attacker can achieve unauthorized access to sensitive information, modify data, or caus...

7.8CVSS5.4AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 3:34 a.m.8 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the cencschemedecrypt, cbc1schemedecrypt, censschemedecrypt, and cbcsschemedecrypt paths in libavformat/mov.c. An attacker can trigger out-of-bounds subsample size validation by supplying a crafted...

9.8CVSS5.7AI score0.00134EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:37 a.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the attributionlink property, which constructs HTML by directly interpolating user-controlled fields without escaping. An attacker can execute arbitrary JavaScript in the context of users viewing ingredient o...

9CVSS5.7AI score0.00207EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 1:35 a.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the GymConfigUpdateView. An attacker can gain unauthorized control over installation-wide configuration and modify other users' records by submitting changes to the /config/gym-config/edit endpoint as a...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 1:34 a.m.8 views

Code Execution

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Code Execution in the via lockfile maintenance in bazel-module/lockfile.ts‎, used by bazel-module and bazelisk. An attacker can execute arbitrary code by introducing a malicious dependency that is...

6.8CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:31 a.m.8 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the ReadCLen function of the Tiano decompressor. An attacker can cause a crash by supplying specially crafted compressed firmware data that triggers a heap out-of-bounds write during decompression. Remediation...

8.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:30 a.m.8 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write through the MakeTable in the decompression routine when bit-length values from a crafted firmware blob exceed the expected range, leading to stack memory corruption in the Count array and related decode tables. An...

8.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:20 a.m.4 views

Origin Validation Error

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Origin Validation Error via the setsessioncookiesecure function. An attacker can cause session cookies to be issued without the Secure flag or disrupt user...

6.3CVSS5.4AI score0.00171EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 1:20 a.m.5 views

Insertion of Sensitive Information into Log File

Overview langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the Client handling of events. An attacker can bypass redaction controls and...

6.3CVSS5.8AI score0.00214EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 1:20 a.m.3 views

Insertion of Sensitive Information into Log File

Overview langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the Client handling of events. An attacker can bypass redaction controls and...

6.3CVSS5.8AI score0.00214EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 1:4 a.m.4 views

Integer Underflow (Wrap or Wraparound)

Overview Affected versions of this package are vulnerable to Integer Underflow Wrap or Wraparound in the ACK frame decoding. An attacker can gain elevated privileges by sending specially crafted network packets that trigger an integer underflow during frame parsing. Remediation Upgrade...

9.8CVSS5.8AI score0.00075EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:4 a.m.4 views

Integer Underflow (Wrap or Wraparound)

Overview Affected versions of this package are vulnerable to Integer Underflow Wrap or Wraparound in the ACK frame decoding. An attacker can gain elevated privileges by sending specially crafted network packets that trigger an integer underflow during frame parsing. Remediation Upgrade...

9.8CVSS5.8AI score0.00075EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:2 a.m.5 views

Cross-site Scripting (XSS)

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting XSS via the jsxAttr and JSX attribute rendering paths in src/jsx/jsx-runtime.ts, src/jsx/base.ts, and src/jsx/dom/render.ts. An attacker can inject executable markup ...

7.2CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:2 a.m.5 views

PHP Remote File Inclusion

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the deflanguage parameter in the API, which is not properly validated against the list of available language files. An attacker can execute arbitrary PHP...

9.9CVSS6.1AI score0.00524EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:50 a.m.4 views

Arbitrary Code Injection

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Arbitrary Code Injection via the PhpHelper::parseArrayToString process. An attacker can execute arbitrary PHP code as the web server user by injecting specially crafted input into...

9.1CVSS6.1AI score0.0048EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:47 a.m.7 views

CRLF Injection

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to CRLF Injection via the DomainZones::add process. An attacker can inject arbitrary DNS records and BIND directives into zone files by submitting crafted DNS record types and content...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References2
Total number of security vulnerabilities32854