Lucene search
K

33544 matches found

Snyk
Snyk
added 2026/04/10 10:11 p.m.5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the cloudstore.file.upload action. An attacker can write arbitrary files to the filesystem and potentially execute code by supplying crafted filenames that exploit path traversal and zip slip vulnerabilities...

9.8CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 10:10 p.m.10 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the expression parser. An attacker can execute arbitrary JavaScript code by sending malicious expressions for evaluation. Remediation There is no fixed...

8.8CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/04/10 10:10 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...

8.8CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/04/10 10:9 p.m.3 views

Cross-site Scripting (XSS)

Overview unhead is a Full-stack manager built for any framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the streamKey configuration parameter on the streaming server-side. An attacker can execute arbitrary JavaScript code in the context of the rendered pa...

4.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 10:9 p.m.8 views

Server-side Request Forgery (SSRF)

Overview rembg is a Remove image background Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /api/remove endpoint, which accepts a URL parameter and fetches external resources. An attacker can access internal network resources and retrieve sensitive ima...

5.3CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/04/10 10:9 p.m.4 views

Timing Attack

Overview phpseclib/phpseclib is a PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. Affected versions of this package are vulnerable to Timing Attack via the getbinarypacket function. An attacker can potentially infer sensitive information about the...

6.3CVSS5.8AI score0.00334EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 10:9 p.m.7 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the url parameter in the /api/templates/fetch endpoint, which performs a server-side HTTP GET request without authentication or validation of the URL scheme or host. An attacker can access internal...

7.2CVSS5.6AI score0.00621EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 10:7 p.m.2 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

6.3CVSS5.8AI score0.0051EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 10:7 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

6.3CVSS5.8AI score0.0051EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 10:7 p.m.2 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

6.3CVSS5.8AI score0.0051EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 10:7 p.m.2 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

6.3CVSS5.8AI score0.0051EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 9:10 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in state-changing routes. An attacker can upload or delete files, create directories, and remove access control policies by sending unauthenticated requests to endpoints such as...

9.8CVSS5.8AI score0.00651EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:10 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in state-changing routes. An attacker can upload or delete files, create directories, and remove access control policies by sending unauthenticated requests to endpoints such as...

9.8CVSS8.5AI score0.00651EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:10 p.m.4 views

Missing Write Protection for Parametric Data Values

Overview Affected versions of this package are vulnerable to Missing Write Protection for Parametric Data Values through improper sanitization of the destination path in the rename process. An attacker can overwrite files outside the intended root directory by supplying crafted destination paths...

7.7CVSS5.8AI score0.00318EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:10 p.m.4 views

Missing Write Protection for Parametric Data Values

Overview Affected versions of this package are vulnerable to Missing Write Protection for Parametric Data Values through improper sanitization of the destination path in the rename process. An attacker can overwrite files outside the intended root directory by supplying crafted destination paths...

7.7CVSS8.4AI score0.00318EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:8 p.m.2 views

Cross-site Scripting (XSS)

Overview rhukster/dom-sanitizer is an a simple but effective DOM/SVG/MathML Sanitizer for PHP 7.4+. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sanitize process. An attacker can cause the browser to send HTTP requests to attacker-controlled hosts, exfiltrat...

5.3CVSS5.6AI score0.00271EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 9:8 p.m.3 views

Prototype Pollution

Overview langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Prototype Pollution via constructor.prototype in the baseAssignValue function. An attacker can modify the Object.prototype by supplying...

6.3CVSS6.4AI score0.00233EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 9:7 p.m.7 views

Generation of Predictable Numbers or Identifiers

Overview DotNetNuke.Core is a references provider to the DotNetNuke.dll to develop extensions for the DNN Platform. Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers in the form of generation of identical HostGUID values during installation. An...

6.9CVSS5.8AI score0.00175EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 9:7 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview DotNetNuke.Core is a references provider to the DotNetNuke.dll to develop extensions for the DNN Platform. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the AddFriend functionality. An attacker can send a request that forces another user to accept...

5.3CVSS5.8AI score0.00183EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 9:3 p.m.2 views

Open Redirect

Overview next-intl is an Internationalization i18n for Next.js Affected versions of this package are vulnerable to Open Redirect in the middleware process when localePrefix is set to 'as-needed'. An attacker can redirect users to an external site by crafting URLs that exploit the way relative...

6.9CVSS5.6AI score0.00339EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 9:0 p.m.5 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition due to unsynchronized concurrent access to the userTokens map in the local authentication process. An attacker can cause the server to crash or reuse authentication tokens by sending multiple simultaneous requests to the...

6.4CVSS5.8AI score0.00243EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:0 p.m.9 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the CloudSpec method on the Controller facade. An attacker can obtain sensitive cloud credentials by making an authenticated API call with only basic login permissions, without requiring elevated privileges...

9.9CVSS5.8AI score0.00445EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 9:0 p.m.5 views

Directory Traversal

Overview gramps-webapi is an A RESTful web API for the Gramps genealogical database. Affected versions of this package are vulnerable to Directory Traversal via the MediaImporter.checkdiskspaceandextract function. An attacker can write arbitrary files outside the intended extraction directory by...

9.1CVSS6.3AI score0.00401EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 8:59 p.m.2 views

Missing Authentication for Critical Function

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to missing authentication in several HTTP transport endpoints and exposure of sensitive operationa...

8.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 8:59 p.m.2 views

XML Entity Expansion

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to XML Entity Expansion when parsing XMP metadata. An attacker can cause excessive memory consumption with excessive DOCTYPE entity...

6.9CVSS5.8AI score0.00423EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 8:42 p.m.6 views

Cross-site Scripting (XSS)

Overview DotNetNuke.Core is a references provider to the DotNetNuke.dll to develop extensions for the DNN Platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG upload. An user can execute arbitrary scripts in the context of other users by uploading a...

8CVSS5.8AI score0.07598EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 8:18 p.m.10 views

CRLF Injection

Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to CRLF Injection via the login and openDir methods. An attacker can execute arbitrary FTP commands by injecting control characters into...

9.1CVSS6.1AI score0.02185EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 8:8 p.m.8 views

HTTP Response Splitting

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to HTTP Response Splitting via the parseTokens header processing path in lib/core/AxiosHeaders.js. An attacker can smuggle HTTP requests or inject arbitrary headers by...

9CVSS5.9AI score0.01815EPSS
Exploits5References2
Snyk
Snyk
added 2026/04/10 8:8 p.m.5 views

HTTP Response Splitting

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to HTTP Response Splitting via the parseTokens header processing path in lib/core/AxiosHeaders.js. An attacker can smuggle HTTP requests or inject arbitrary...

9CVSS6.1AI score0.01815EPSS
Exploits5References2
Snyk
Snyk
added 2026/04/10 7:54 p.m.7 views

Race Condition

Overview ajenti.plugin.core is a Core Affected versions of this package are vulnerable to Race Condition in the 2FA authentication. An attacker can gain unauthorized access by exploiting a timing issue immediately after user authentication, allowing them to bypass intended security checks...

9.1CVSS5.8AI score0.00232EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:50 p.m.5 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

5.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:50 p.m.5 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

5.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:50 p.m.6 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

5.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:50 p.m.7 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

5.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in the GetSystemLogs, SSESubscribeSystemLogs, and WSSubscribeSystemLogs endpoints. A non-admin user can access sensitive server log information, including error stack traces,...

5.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to the lack of a RequireScopes call in internal/router/comment.go comment panel admin endpoint. An attacker can gain unauthorized access to comment moderation operations, including listing, approving, rejecting...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the PUT /user route. An attacker can gain full administrative privileges by using a read-only access token to change the administrator's password, then logging in to obtain an unrestricted session token that...

8.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:49 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the PUT /user route. An attacker can gain full administrative privileges by using a read-only access token to change the administrator's password, then logging in to obtain an unrestricted session token that...

8.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:47 p.m.9 views

User Impersonation

Overview ajenti.plugin.core is a Core Affected versions of this package are vulnerable to User Impersonation via 2FA authentication. An attacker can gain unauthorized access by bypassing password authentication. Remediation Upgrade ajenti.plugin.core to version 0.112 or higher. References - GitHu...

9.3CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:40 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the function parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of a backend user's session by...

4.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:40 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the type parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of the backend session by crafting a...

4.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:40 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the dashboard log endpoints. An attacker can access sensitive operational log data by sending authenticated requests to the log endpoints without requiring elevated privileges. Remediation Upgrade...

5.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:39 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization missing RequireScopes enforcement on privileged routes. An attacker can gain unauthorized access to privileged endpoints and export sensitive backup data by using a deliberately limited admin access token on rout...

6.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:39 p.m.5 views

Directory Traversal

Overview uv is an An extremely fast Python package and project manager, written in Rust. Affected versions of this package are vulnerable to Directory Traversal through the uninstall process when handling RECORD entries containing relative paths that traverse outside the intended installation...

3.1CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:32 p.m.2 views

Missing Authentication for Critical Function

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.3CVSS5.8AI score0.00356EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 7:32 p.m.2 views

Arbitrary Code Injection

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.8CVSS6.2AI score0.00609EPSS
Exploits1References3
Total number of security vulnerabilities33544