Lucene search
K

35669 matches found

Snyk
Snyk
•added 2026/07/06 9:6 p.m.•4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the CreateTarFromZip process. An attacker can exhaust system memory and cause a service outage by uploading a zip file containing many highly compressible entries, resulting in...

7.1CVSS6AI score0.00602EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:6 p.m.•4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the CreateTarFromZip process. An attacker can exhaust system memory and cause a service outage by uploading a zip file containing many highly compressible entries, resulting in...

7.1CVSS6AI score0.00602EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•5 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•5 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•5 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 9:5 p.m.•5 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' in the httpapi.RequestHost process. An attacker can gain unauthorized access to sensitive data by sending requests with a crafted X-Forwarded-Host header, which is trusted over the real...

6.8CVSS6AI score0.00208EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:58 p.m.•6 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the AllowedIPs process. An attacker can intercept network traffic and serve spoofed content by supplying arbitrary AllowedIPs prefixes, allowing them to claim another agent's tailnet address. This is only...

8.2CVSS6.1AI score0.00405EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:58 p.m.•4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the AllowedIPs process. An attacker can intercept network traffic and serve spoofed content by supplying arbitrary AllowedIPs prefixes, allowing them to claim another agent's tailnet address. This is only...

8.2CVSS6.1AI score0.00405EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:55 p.m.•4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the UpsertWorkspaceApp process. An attacker can gain unauthorized access to another user's workspace app by submitting a crafted payload with a known victim app UUID and an...

8.7CVSS6AI score0.00508EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:55 p.m.•6 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the UpsertWorkspaceApp process. An attacker can gain unauthorized access to another user's workspace app by submitting a crafted payload with a known victim app UUID and an...

8.7CVSS6AI score0.00508EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:55 p.m.•4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the UpsertWorkspaceApp process. An attacker can gain unauthorized access to another user's workspace app by submitting a crafted payload with a known victim app UUID and an...

8.7CVSS6AI score0.00508EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:55 p.m.•4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the UpsertWorkspaceApp process. An attacker can gain unauthorized access to another user's workspace app by submitting a crafted payload with a known victim app UUID and an...

8.7CVSS6AI score0.00508EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:55 p.m.•5 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the UpsertWorkspaceApp process. An attacker can gain unauthorized access to another user's workspace app by submitting a crafted payload with a known victim app UUID and an...

8.7CVSS6AI score0.00508EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:55 p.m.•6 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the UpsertWorkspaceApp process. An attacker can gain unauthorized access to another user's workspace app by submitting a crafted payload with a known victim app UUID and an...

8.7CVSS6AI score0.00508EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:54 p.m.•5 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the NewDataBuilder process in provisionersdk/proto/dataupload.go when allocating memory based on a client-supplied FileSize value without an upper-bound check. An attacker can cause the...

6.9CVSS6AI score0.00611EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:54 p.m.•5 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the NewDataBuilder process in provisionersdk/proto/dataupload.go when allocating memory based on a client-supplied FileSize value without an upper-bound check. An attacker can cause the...

6.9CVSS6AI score0.00611EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:54 p.m.•3 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the NewDataBuilder process in provisionersdk/proto/dataupload.go when allocating memory based on a client-supplied FileSize value without an upper-bound check. An attacker can cause the...

6.9CVSS6AI score0.00611EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:53 p.m.•7 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the coder config-ssh process. An attacker can execute arbitrary commands on the local system by injecting malicious SSH configuration directives through unsanitized server-supplied values. This is only exploitable ...

8.3CVSS6.2AI score0.00466EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:53 p.m.•4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the coder config-ssh process. An attacker can execute arbitrary commands on the local system by injecting malicious SSH configuration directives through unsanitized server-supplied values. This is only exploitable ...

8.3CVSS6.2AI score0.00466EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:53 p.m.•4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the coder config-ssh process. An attacker can execute arbitrary commands on the local system by injecting malicious SSH configuration directives through unsanitized server-supplied values. This is only exploitable ...

8.3CVSS6.2AI score0.00466EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:53 p.m.•3 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the coder config-ssh process. An attacker can execute arbitrary commands on the local system by injecting malicious SSH configuration directives through unsanitized server-supplied values. This is only exploitable ...

8.3CVSS6.2AI score0.00466EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:53 p.m.•5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the PUT /api/v2/users/user/password endpoint. An attacker can gain unauthorized access to owner-level accounts by resetting their passwords without knowing the current password, allowing privilege escalation a...

8.6CVSS6AI score0.00615EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:53 p.m.•3 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the PUT /api/v2/users/user/password endpoint. An attacker can gain unauthorized access to owner-level accounts by resetting their passwords without knowing the current password, allowing privilege escalation a...

8.6CVSS6AI score0.00615EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:52 p.m.•4 views

Authentication Bypass by Alternate Name

Overview Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via improper handling of OIDC authentication and the emailverified claim. An attacker can gain unauthorized access to another user's account by authenticating with an email address matching the...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:52 p.m.•4 views

Authentication Bypass by Alternate Name

Overview Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via improper handling of OIDC authentication and the emailverified claim. An attacker can gain unauthorized access to another user's account by authenticating with an email address matching the...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:52 p.m.•5 views

Authentication Bypass by Alternate Name

Overview Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via improper handling of OIDC authentication and the emailverified claim. An attacker can gain unauthorized access to another user's account by authenticating with an email address matching the...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:52 p.m.•6 views

Authentication Bypass by Alternate Name

Overview Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via improper handling of OIDC authentication and the emailverified claim. An attacker can gain unauthorized access to another user's account by authenticating with an email address matching the...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:50 p.m.•4 views

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast via the OIDC callback process. An attacker can gain unauthorized access to user accounts by exploiting improper type handling of the emailverified claim, allowing account takeover without prior...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:50 p.m.•3 views

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast via the OIDC callback process. An attacker can gain unauthorized access to user accounts by exploiting improper type handling of the emailverified claim, allowing account takeover without prior...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:50 p.m.•5 views

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast via the OIDC callback process. An attacker can gain unauthorized access to user accounts by exploiting improper type handling of the emailverified claim, allowing account takeover without prior...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:50 p.m.•5 views

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast via the OIDC callback process. An attacker can gain unauthorized access to user accounts by exploiting improper type handling of the emailverified claim, allowing account takeover without prior...

9.1CVSS6AI score0.00479EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:49 p.m.•3 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection in the startAssetImport process. An attacker can access arbitrary files on the server filesystem and potentially interact with internal or cloud metadata endpoints by uploading a specially crafted ETS...

7.6CVSS6.1AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:47 p.m.•4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the UserResourceImpl process. An attacker can access sensitive user profile information, client roles, and realm roles across different realms by supplying a valid user UUID from anoth...

7.7CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:43 p.m.•7 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:43 p.m.•6 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•5 views

Incorrect Implementation of Authentication Algorithm

Overview org.postgresql:postgresql is a Java JDBC 4.2 JRE 8+ driver for PostgreSQL database. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the ScramAuthenticator class, which fails open by confirming only that the server advertised a...

8.2CVSS6AI score0.00236EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•6 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the PcfFontFile.loadbitmaps process. An attacker can cause excessive memory allocation by supplying crafted PCF font data that bypasses decompression bomb checks. Remediation Upgrade pillo...

8.7CVSS6AI score0.00354EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•5 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the handlemessage process. An attacker can execute arbitrary tool handlers by...

8.6CVSS6.1AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•4 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the GdImageFile.open process. An attacker can cause excessive memory allocation by supplying a crafted .gd file that bypasses decompression bomb checks. Remediation Upgrade pillow to versio...

8.7CVSS6AI score0.00361EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•6 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the FontFile.compile process. An attacker can cause excessive memory allocation by providing a specially crafted font file that triggers uncontrolled resource consumption during image...

8.7CVSS6AI score0.00361EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•4 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the bdfchar process when attacker-controlled dimensions from a BDF font file are passed to Image.new without invoking the decompressionbombcheck function. An attacker can cause excessive...

8.7CVSS6AI score0.00364EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/06 8:42 p.m.•5 views

Arbitrary Code Injection

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Arbitrary Code Injection in the eval process used by certain agent components when evaluating external input with fulleval=True. An attacker can execute arbitrary system commands b...

10CVSS6.2AI score0.00912EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:39 p.m.•18 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the getcommand function. An attacker can execute arbitrary commands by supplying a file path containing shell metacharacters. Remediation Upgrade pillow to version 12.3.0 or higher. References - GitHub Advisory -...

4.5CVSS6.2AI score0.00136EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/06 8:39 p.m.•5 views

SQL Injection

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to SQL Injection through the SQLChatAgent process. An attacker can access arbitrary files on the server by crafting SQL queries that bypass the regex-based blocklist using quoted...

9.8CVSS6.2AI score0.00646EPSS
Exploits0References3
Snyk
Snyk
•added 2026/07/06 8:32 p.m.•4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the DownloadTinyFile process when the scheduler's gRPC service accepts attacker-controlled values for PeerHost.Ip and PeerHost.DownPort without proper validation. An attacker can cause the scheduler t...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/06 8:32 p.m.•4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the DownloadTinyFile process when the scheduler's gRPC service accepts attacker-controlled values for PeerHost.Ip and PeerHost.DownPort without proper validation. An attacker can cause the scheduler t...

6.9CVSS6AI score
Exploits0References2
Total number of security vulnerabilities35669