Lucene search
K

32858 matches found

Snyk
Snyk
added 2026/04/16 1:2 a.m.5 views

Cross-site Scripting (XSS)

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Cross-site Scripting XSS via the jsxAttr and JSX attribute rendering paths in src/jsx/jsx-runtime.ts, src/jsx/base.ts, and src/jsx/dom/render.ts. An attacker can inject executable markup ...

7.2CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:2 a.m.5 views

PHP Remote File Inclusion

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the deflanguage parameter in the API, which is not properly validated against the list of available language files. An attacker can execute arbitrary PHP...

9.9CVSS6.1AI score0.00524EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:50 a.m.4 views

Arbitrary Code Injection

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Arbitrary Code Injection via the PhpHelper::parseArrayToString process. An attacker can execute arbitrary PHP code as the web server user by injecting specially crafted input into...

9.1CVSS6.1AI score0.0048EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:47 a.m.7 views

CRLF Injection

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to CRLF Injection via the DomainZones::add process. An attacker can inject arbitrary DNS records and BIND directives into zone files by submitting crafted DNS record types and content...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:47 a.m.4 views

Symlink Attack

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Symlink Attack via the DataDump.add process. An attacker can gain ownership of arbitrary directories and their contents by creating a symlink within their own directory that points to...

7.7CVSS5.9AI score0.00414EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:47 a.m.6 views

Incorrect Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Incorrect Authorization in the add process of the EmailSender component due to improper domain ownership validation. An attacker can impersonate users on domains belonging to other...

5.3CVSS5.8AI score0.00231EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:46 a.m.6 views

Incorrect Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Incorrect Authorization in the Domains.add process. An attacker can bypass domain quota restrictions and exhaust another admin's quota by specifying an arbitrary adminid parameter whe...

5.4CVSS5.9AI score0.00264EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:46 a.m.4 views

Operator Precedence Logic Error

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADDTAGS over FORBIDTAGS in sanitizeElements. In an...

8.1CVSS5.7AI score0.00263EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:46 a.m.8 views

Operator Precedence Logic Error

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADDTAGS over FORBIDTAGS in sanitizeElements. In an application where ADDTAG...

8.1CVSS5.7AI score0.00263EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:31 a.m.5 views

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization due to the serviceAccountRegex matcher in pilot/pkg/security/authz/model/generator.go. An attacker can gain access to workloads protected by AuthorizationPolicy rules by presenting a SPIFFE identity whose namespa...

7.1CVSS5.7AI score0.00209EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 12:29 a.m.6 views

Untrusted Search Path

Overview yubikey-manager is a Library and CLI for managing your YubiKey configuration. Affected versions of this package are vulnerable to Untrusted Search Path due to the unintended search order for dynamic link libraries. An attacker can execute arbitrary code by placing a malicious DLL in a...

2.9CVSS6.2AI score0.00131EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 12:0 a.m.5 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' while handling a specially crafted XML Schema Definition XSD validated document containing an internal entity reference. An attacker can cause the application to crash by...

7.5CVSS5.8AI score0.00632EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.7 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.4 views

Server-side Request Forgery (SSRF)

Overview processwire/processwire is a CMS/CMF. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the Add Module From URL process. An attacker can access internal network resources and sensitive endpoints by supplying arbitrary URLs to the module download...

6.8CVSS5.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 9:30 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper truncation of subresource names in the authorization process. An attacker can gain unauthorized access to subresources or perform unauthorized actions by exploiting incorrect permission evaluation...

5.4CVSS5.7AI score0.0015EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 9:30 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper truncation of subresource names in the authorization process. An attacker can gain unauthorized access to subresources or perform unauthorized actions by exploiting incorrect permission evaluation...

5.4CVSS5.7AI score0.0015EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 9:26 p.m.3 views

Cross-site Scripting (XSS)

Overview @apostrophecms/seo is a SEO Tools for ApostropheCMS Affected versions of this package are vulnerable to Cross-site Scripting XSS in renderNodes, via SEO Title and Meta Description values, where user-controlled input is rendered without proper output encoding into HTML contexts such as...

8.7CVSS5.5AI score0.00298EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 9:26 p.m.6 views

Cross-site Scripting (XSS)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

8.7CVSS5.5AI score0.00298EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 9:26 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

6.9CVSS5.8AI score0.00435EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/15 9:26 p.m.4 views

Cross-site Scripting (XSS)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

6.1CVSS5.6AI score0.0021EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 9:25 p.m.10 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the namespace parameter in the Ruler API endpoint after double URL encoding. An attacker can access arbitrary files by sending specially crafted requests. Details A Directory Traversal attack also known as path...

6.9CVSS6.5AI score0.00409EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 9:25 p.m.4 views

Incorrect Authorization

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

6.9CVSS5.7AI score0.00512EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 9:25 p.m.5 views

Cross-site Scripting (XSS)

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS in sanitizeHtml, when entity-encoded text is present...

6.1CVSS5.5AI score0.00235EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 8:23 p.m.10 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the Correlations feature due to a backward compatibility condition that allows records with orgid=0 to be accessed across organizations. An attacker with datasource management...

3.8CVSS5.8AI score0.00204EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 8:22 p.m.4 views

Timing Attack

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

6.3CVSS5.8AI score0.00365EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 8:22 p.m.8 views

Use of Hard-coded Credentials

Overview Affected versions of this package are vulnerable to Use of Hard-coded Credentials when the nexus.orient.binaryListenerEnabled configuration is set to true. This option is set by default in legacy HA-C mode, but not in standalone deployments, including HA deployments. An attacker can gain...

9.2CVSS5.9AI score0.00461EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 8:22 p.m.3 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the configuration API when type protection is missing for sensitive fields. An attacker can obtain confidential credentials by sending requests directly to the API...

9.3CVSS5.4AI score0.00406EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the updateUserPreference process. An attacker can alter restricted financial attributes by sending crafted API requests to modify their own hourlyrat...

5.3CVSS5.8AI score0.00267EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 7:46 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS incomplete escaping of user-controlled data in the escapeForHtml function. An attacker can execute arbitrary JavaScript in the context of another user's browser session by injecting specially crafted input into...

5.4CVSS5.7AI score0.00207EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 7:46 p.m.3 views

Template Injection

Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...

9.2CVSS5.9AI score0.00776EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Template Injection

Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...

9.2CVSS5.9AI score0.00776EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Template Injection

Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...

9.2CVSS5.9AI score0.00776EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:46 p.m.3 views

Template Injection

Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper restriction of accessible object scope during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...

9.2CVSS5.8AI score0.00862EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Template Injection

Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper restriction of accessible object scope during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...

9.2CVSS5.8AI score0.00862EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Template Injection

Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper restriction of accessible object scope during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...

9.2CVSS5.8AI score0.00862EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:45 p.m.7 views

Excessive Iteration

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Excessive Iteration in the parsing performed by multipart.py. An attacker can degrade performance by sending multipart requests with very large preamble or epilogue sections...

6.9CVSS5.8AI score0.00351EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:43 p.m.69 views

Logging of Excessive Data

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Logging of Excessive Data through the processing of client data JWTs in LoginPacket. An attacker can cause...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:43 p.m.3 views

Improper Validation of Specified Quantity in Input

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the PdfReader object stream and xref stream parsers in pypdf/reader.py...

7.1CVSS5.8AI score0.00297EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 7:42 p.m.12 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection in the startAssetImport process. An attacker can access sensitive files on the server or initiate server-side requests by uploading specially crafted XML files containing external entity references. Thi...

7.6CVSS5.9AI score0.00249EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 7:30 p.m.7 views

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in namespace validation for the ImageUpdater resources. An attacker can perform unauthorized image updates on applications in other namespaces by creating or modifying ImageUpdater resources,...

9.1CVSS5.8AI score0.00357EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:30 p.m.6 views

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in namespace validation for the ImageUpdater resources. An attacker can perform unauthorized image updates on applications in other namespaces by creating or modifying ImageUpdater resources,...

9.1CVSS5.8AI score0.00357EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:19 p.m.6 views

Always-Incorrect Control Flow Implementation

Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...

6.3CVSS5.8AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:19 p.m.10 views

Always-Incorrect Control Flow Implementation

Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...

6.3CVSS5.8AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:19 p.m.7 views

Always-Incorrect Control Flow Implementation

Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...

6.3CVSS5.8AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:19 p.m.6 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...

6.8CVSS5.8AI score0.00154EPSS
Exploits0References2
Total number of security vulnerabilities32858