Lucene search
K

32886 matches found

Snyk
Snyk
added 2026/04/14 11:9 p.m.3 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path in the POST /Videos/itemId/Subtitles endpoint due to insufficient validation of the Format field, which allows path traversal via the file extension and enables arbitrary file write. An attacker can...

9.9CVSS5.9AI score0.00753EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/14 10:50 p.m.3 views

Arbitrary Code Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary Code Injection via the msg and callback fields in relayed WebSocket messages, which are processed by client-side eval sinks. An attacker can execute...

10CVSS6.1AI score0.00645EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:49 p.m.12 views

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the locale/save.php process. An attacker can write arbitrary PHP files to any web-accessible directory and execute code by supplying crafte...

8.7CVSS6.5AI score0.00656EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:49 p.m.4 views

Active Debug Code

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Active Debug Code via the git.json.php script, which executes a shell command and returns sensitive information as JSON to any unauthenticated user. An attacker ca...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:49 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the list.json.php process. An attacker can access sensitive third-party stream keys and OAuth tokens belonging...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:38 p.m.4 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the smartLeftAngle function in smartypants.go file. An attacker can cause a panic or read unintended memory by providing input containing a character in the remaining text. PoC package main import "bytes" "fmt"...

8.7CVSS5.8AI score0.00346EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:38 p.m.5 views

SQL Injection

Overview @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to SQL Injection via the ProductService.findOneBySlug function in Admin and Vendure Shop API. An attacker can execute arbitrary SQL commands on the database by supplying a crafted...

9.1CVSS6.1AI score0.01762EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:33 p.m.4 views

Insertion of Sensitive Information into Log File

Overview github.com/authzed/spicedb/pkg/cmd/server is a Google Zanzibar-inspired fine-grained permissions database Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the configuration log output during startup when the log level is set to info...

6.7CVSS5.8AI score0.00166EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:32 p.m.4 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the HTTPHOST value being directly embedded into the Message-ID header during email generation. An attacker can inject arbitrary SMTP headers into outgoing emails by supplying a crafted Host header during...

7.2CVSS5.9AI score0.00255EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:32 p.m.5 views

Reliance on Cookies without Validation and Integrity Checking

Overview Affected versions of this package are vulnerable to Reliance on Cookies without Validation and Integrity Checking via the serendipitysetCookie function. An attacker can cause authentication cookies, including session and auto-login tokens, to be scoped to an attacker-controlled domain by...

6.9CVSS5.7AI score0.00224EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:32 p.m.8 views

Arbitrary Argument Injection

Overview mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl Affected versions of this package are vulnerable to Arbitrary Argument Injection through the startPortForward function in src/tools/portforward.ts. An attacker can inject additional kubectl flags b...

8.7CVSS5.8AI score0.00258EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:31 p.m.5 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

9.3CVSS5.7AI score0.00475EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:31 p.m.8 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

9.3CVSS5.7AI score0.00475EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:30 p.m.4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Resize-VHD PowerShell command construction process. An attacker can execute arbitrary PowerShell commands with the privileges of the affected process by supplying a crafted VM image path containing malicious...

8.8CVSS6AI score0.00607EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:30 p.m.4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Resize-VHD PowerShell command construction process. An attacker can execute arbitrary PowerShell commands with the privileges of the affected process by supplying a crafted VM image path containing malicious...

8.8CVSS6AI score0.00607EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:30 p.m.5 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Resize-VHD PowerShell command construction process. An attacker can execute arbitrary PowerShell commands with the privileges of the affected process by supplying a crafted VM image path containing malicious...

8.8CVSS6AI score0.00607EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:29 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG sanitization process. An attacker can execute arbitrary scripts in the context of a privileged user by uploading a crafted SVG file that bypasses attribute filtering. This is only exploitable if the...

6.1CVSS5.8AI score0.00217EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:29 p.m.7 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the INI settings parser when environment variable interpolation is processed via the parseinistring function. An attacker with Editor permissions can retrieve sensitive environment variables by injecting...

6.9CVSS5.7AI score0.00326EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 10:22 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the amendment acceptance flow. An attacker can gain unauthorized coauthorship and modify proposal outcomes by submitting amendment accept or reject actions without proper authorization checks. Workaround This...

7.5CVSS5.7AI score0.00223EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 9:31 p.m.5 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the...

7.7CVSS5.7AI score0.00317EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:9 p.m.6 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

8.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:9 p.m.4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

8.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:9 p.m.4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

8.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:9 p.m.4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

8.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:9 p.m.3 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

8.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:9 p.m.5 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

8.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:6 p.m.8 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...

7.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:6 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...

7.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:6 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...

7.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:5 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ClusterPolicy when apiCall.service.url is used with variable substitution e.g. request.object.. An attacker can retrieve sensitive information from internal services or cloud metadata endpoints b...

7.7CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:5 p.m.4 views

Modification of Assumed-Immutable Data (MAID)

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data MAID through the sanitize, sanitizedom, and JustHTML..., sanitize=True paths in src/justhtml/sanitize.py. An attacker can bypass intended...

6.1CVSS5.7AI score
Exploits0References4
Snyk
Snyk
added 2026/04/14 8:3 p.m.5 views

Command Injection

Overview composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere. Affected versions of this package are vulnerable to Command Injection via the generateP4Command function. An...

8.5CVSS6.3AI score0.01065EPSS
Exploits4References2
Snyk
Snyk
added 2026/04/14 8:2 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the mail preview feature of the Event Log, where HTML content is rendered in an iframe without proper sandboxing. An attacker can execute arbitrary JavaScript in the context of a privileged user's browser by...

5.4CVSS5.7AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:2 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the processing of the Markup Classes fields within the backend editor settings. An attacker can execute arbitrary JavaScript code in the context of users who open a RichEditor by injecting malicious values th...

6.1CVSS5.8AI score0.00252EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:2 p.m.3 views

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the collect process. An attacker can gain unauthorized access to restricted template functionality by leveraging insufficient sandbox restrictions when authenticated with backend access and template editi...

6.9CVSS5.7AI score0.00395EPSS
Exploits2References3
Snyk
Snyk
added 2026/04/14 8:1 p.m.7 views

Command Injection

Overview composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere. Affected versions of this package are vulnerable to Command Injection via the Perforce::syncCodeBase and...

8.8CVSS6.3AI score0.01688EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/14 8:1 p.m.3 views

Open Redirect

Overview @adonisjs/http-server is an AdonisJS HTTP server with support packed with Routing and Cookies Affected versions of this package are vulnerable to Open Redirect via the response.redirect.back function. An attacker can redirect users to malicious external sites by manipulating the Referer...

6.1CVSS5.7AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:0 p.m.4 views

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the HandlePolicyDataSubsToNotifySubsIdPut process. An attacker can cause unintended modification of existing Policy Data notification subscriptions by sending malformed, empty, or...

6.9CVSS5.8AI score0.00321EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/14 8:0 p.m.3 views

Improper Check for Unusual or Exceptional Conditions

Overview github.com/free5gc/udr/internal/sbi is a None Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions. in the HandlePolicyDataSubsToNotifySubsIdPut process. An attacker can cause unintended modification of existing Policy Data notification...

6.9CVSS5.8AI score0.00321EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/14 8:0 p.m.5 views

Improper Authorization

Overview github.com/free5gc/udr/internal/sbi is a None Affected versions of this package are vulnerable to Improper Authorization. through improper validation of the influenceId path parameter in the DELETE endpoint. An attacker can remove arbitrary Traffic Influence Subscriptions by sending a...

8.7CVSS5.9AI score0.0038EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:0 p.m.6 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization through improper validation of the influenceId path parameter in the DELETE endpoint. An attacker can remove arbitrary Traffic Influence Subscriptions by sending a crafted request with an invalid influenceId value...

8.7CVSS5.9AI score0.0038EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:0 p.m.5 views

Information Exposure

Overview github.com/free5gc/udr/internal/sbi is a None Affected versions of this package are vulnerable to Information Exposure. in the HandleApplicationDataInfluenceDataSubsToNotifyGet process. An attacker can access sensitive subscriber identifiers by sending unauthenticated HTTP GET requests t...

8.7CVSS5.8AI score0.00506EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/14 8:0 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the HandleApplicationDataInfluenceDataSubsToNotifyGet process. An attacker can access sensitive subscriber identifiers by sending unauthenticated HTTP GET requests to the affected endpoint without any query...

8.7CVSS5.8AI score0.00506EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.8 views

Out-of-bounds Write

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.9 views

Out-of-bounds Write

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.8 views

Out-of-bounds Write

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.9 views

Out-of-bounds Write

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.7 views

Out-of-bounds Write

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.6 views

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 6:51 p.m.5 views

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.8CVSS5.8AI score0.00189EPSS
Exploits0References3
Total number of security vulnerabilities32886