Lucene search
K

33588 matches found

Snyk
Snyk
added 2026/04/09 6:10 p.m.8 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management via the ClickhouseUser/ServiceUser. An attacker can access sensitive information from other namespaces by supplying a crafted namespace value, causing the operator to read secrets from unauthorized location...

8.2CVSS5.7AI score0.00394EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 6:10 p.m.1 views

Improper Validation of Unsafe Equivalence in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input via the TopicSelectorStore process. An attacker can access private updates intended for authorized subscribers or prevent delivery to legitimate recipients by poisoning the match result...

7.1CVSS5.8AI score0.00341EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 6:10 p.m.2 views

Improper Validation of Unsafe Equivalence in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input via the TopicSelectorStore process. An attacker can access private updates intended for authorized subscribers or prevent delivery to legitimate recipients by poisoning the match result...

7.1CVSS5.8AI score0.00341EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 6:10 p.m.2 views

Weak Authentication

Overview Affected versions of this package are vulnerable to Weak Authentication due to improper validation of oauthuserid in the TokenGuard::authenticateViaBearerToken function. An attacker can gain unauthorized access to unrelated user accounts by presenting a machine-to-machine token with a...

7.1CVSS5.8AI score0.00289EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 6:10 p.m.4 views

Cross-site Scripting (XSS)

Overview limesurvey/limesurvey is a FOSS online survey tool on the web. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Boxtitle and boxurl parameters. An attacker can execute arbitrary scripts in the context of a user's browser by injecting malicious input...

8.5CVSS5.8AI score0.00279EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 6:9 p.m.5 views

Cross-site Scripting (XSS)

Overview limesurvey/limesurvey is a FOSS online survey tool on the web. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getInstance function when processing the gid parameter. An attacker can execute arbitrary JavaScript in the context of a logged-in user by...

6.1CVSS5.8AI score0.00227EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 6:8 p.m.8 views

Arbitrary Code Injection

Overview metagpt is a The Multi-Agent Framework Affected versions of this package are vulnerable to Arbitrary Code Injection via the checksolution function in the HumanEvalBenchmark/MBPPBenchmark component. An attacker can execute arbitrary code by sending specially crafted input remotely...

9.8CVSS7.5AI score0.00387EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 5:37 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing pre-allocation size checks in the base64 decoding process. An attacker can cause excessive memory allocation by providi...

6.5CVSS5.8AI score0.00302EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:37 p.m.2 views

Missing Support for Integrity Check

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Support for Integrity Check through the download process. An attacker can cause unauthorized or malicious plugin archives to be installed by providing tampered or unverified files...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:37 p.m.4 views

Insufficient Verification of Data Authenticity

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the fetchWithSsrFGuard function. An attacker can cause unsafe request bodies or headers to be resent across cross-origin redirects by...

7.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:37 p.m.3 views

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the host-exec process. An attacker can execute arbitrary commands by injecting environment variables that influence interpreters, shells, or build tools. Remediation...

5.9CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.5 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper handling of redirects in the Playwright navigation. An attacker can access internal or private network resources by crafting requests that...

6.9CVSS5.8AI score0.00188EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.2 views

Improper Privilege Management

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management in the Gateway plugin HTTP. An attacker can gain unauthorized write access by sending requests that are only intended to have read privileges, resulting in...

7.1CVSS5.8AI score0.00239EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.2 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Interaction-Triggered Navigation. An attacker can access internal resources by triggering browser interactions that bypass normal navigation check...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.3 views

Improper Privilege Management

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management via the node.pair.approve function being assigned to the broader operator.write scope instead of the intended operator.pairing scope. An attacker can gain...

8.8CVSS5.8AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.5 views

Incorrect Permission Assignment for Critical Resource

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the uploadfile or uploadimage process. An attacker can access files outside the intended workspace directory by uploading special...

6.5CVSS5.8AI score0.00326EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.4 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the media download process. An attacker can access internal network resources by sending crafted requests to the affected media fetch endpoints...

8.5CVSS5.8AI score0.00218EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:36 p.m.3 views

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to terminate existing WebSocket sessions upon shared gateway token rotation. An attacker can maintain unauthorized access to an active...

5.9CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:35 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through concurrent asynchronous authentication attempts. An attacker can exhaust system resources by racing the per-key rate-limit...

2.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:35 p.m.4 views

Authentication Bypass Using an Alternate Path or Channel

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the Pairing Reconnect Command. An attacker can gain unauthorized access to privileged commands by reconnecting a previously...

7.8CVSS5.8AI score0.00131EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:34 p.m.3 views

Access Control Bypass

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Access Control Bypass due to missing owner-only enforcement in the /allowlist process for cross-channel allowlist writes. An attacker can perform unauthorized modifications to allowlists ...

4.8CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:34 p.m.6 views

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration due to the resolvedAuth process becoming outdated after a configuration reload. An attacker can maintain unauthorized access by leveraging stale...

5.4CVSS5.8AI score0.00215EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:34 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard. Remediation...

8.1CVSS5.8AI score0.00258EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:33 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the device.token.rotate function. An attacker can obtain unauthorized access to roles or scopes by rotating device tokens without the required pairing approval...

8.8CVSS5.8AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:32 p.m.1 views

Exposure of Resource to Wrong Sphere

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the handling of shared reply MEDIA references, where paths are treated as trusted. An attacker can cause unauthorized access to local files by...

5.9CVSS5.8AI score0.00181EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 5:32 p.m.3 views

Improper Input Validation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Input Validation in to the strictInlineEval function. An attacker can execute unauthorized inline evaluation commands by exploiting the approval-timeout fallback mechanism, which...

7.7CVSS5.9AI score0.00316EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 4:41 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options when used with RegExp objects and RegExp is configured with nest...

6.5CVSS5.7AI score0.00262EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 4:41 p.m.2 views

Incorrect Regular Expression

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Incorrect Regular Expression in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options when used with RegExp objects and RegExp is configured with modifiers such as /...

5.3CVSS5.8AI score0.00383EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.2 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via improper hostname normalization in the NOPROXY environment variable. An attacker controlling request URLs can acces...

9.9CVSS5.7AI score0.01186EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.3 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via improper hostname normalization in the NOPROXY environment variable. An attacker controlling reques...

9.9CVSS5.7AI score0.01186EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.7 views

Incorrect Authorization

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Incorrect Authorization via the enrollment endpoint. An attacker can access Fleet Server policy details from unauthorized spaces b...

5.3CVSS5.7AI score0.00175EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.8 views

Allocation of Resources Without Limits or Throttling

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the automatic import plugin. An attacker can cause backend services to...

7.1CVSS5.7AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.3 views

Incorrect Authorization

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Incorrect Authorization via the Fleet internal API endpoint. An attacker can access sensitive configuration data, including privat...

7.7CVSS5.8AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.4 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the pngsetPLTE, pngsettRNS, and pngsethIST functions. An attacker can cause corrupted chunk metadata or leak heap contents by passing a pointer obtained from pnggetPLTE, pnggettRNS, or pnggethIST back into the...

7.3CVSS5.8AI score0.00195EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 4:14 p.m.3 views

Execution with Unnecessary Privileges

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Execution with Unnecessary Privileges in the Fleet plugin debug route handlers. An attacker can access index data outside of their...

7.7CVSS5.7AI score0.003EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 3:35 p.m.2 views

Arbitrary Argument Injection

Overview github.com/hashicorp/go-getter is a Package for downloading things from a string URL using a variety of protocols. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the GitGetter function that lacks validation for git options when attempting to check th...

8.7CVSS6AI score0.00583EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/09 3:13 p.m.7 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:rrweb-snapshot is a rrweb's component to take a snapshot of DOM, aka DOM serializer Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rrweb-snapshot process. An attacker can execute arbitrary web scripts or inject malicious HTML by...

6.1CVSS5.9AI score0.00239EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 3:13 p.m.11 views

Cross-site Scripting (XSS)

Overview rrweb-snapshot is a rrweb's component to take a snapshot of DOM, aka DOM serializer Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rrweb-snapshot process. An attacker can execute arbitrary web scripts or inject malicious HTML by submitting a speciall...

6.1CVSS5.8AI score0.00239EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 2:22 p.m.4 views

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the handling of environment variables in the exec env denylist. An attacker can execute arbitrary commands by injecting malicious values into...

8.6CVSS6AI score0.00188EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/09 2:22 p.m.5 views

Trust Boundary Violation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Trust Boundary Violation via the wake process. An attacker can inject unauthorized payloads into the trusted System: prompt channel by sending authenticated /hooks/wake or mapped wake...

8.5CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 2:22 p.m.3 views

Trust Boundary Violation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Trust Boundary Violation via the process handling background runtime output injection into trusted System: events. An attacker can escalate privileges or inject unauthorized commands by...

7.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /lifecycle webhook endpoint. An attacker can exhaust system memory and disrupt service availability by sending an oversized JSON payload. Remediation Upgrade...

6.5CVSS5.8AI score0.00311EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /changes webhook endpoint. An attacker can exhaust system memory by sending an oversized JSON payload. Remediation Upgrade github.com/mattermost/mattermost-plugin-msteams/serv...

7.1CVSS5.8AI score0.00311EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.9 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the exposure of sensitive data to unauthorized actors. An attacker can access sensitive data such as database credentials by exploiting this vulnerability. Workaround This vulnerability can be mitigated by...

7.5CVSS7.2AI score0.01201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the exposure of sensitive data to unauthorized actors. An attacker can access sensitive data such as database credentials by exploiting this vulnerability. Workaround This vulnerability can be mitigated by...

7.5CVSS7.2AI score0.01201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.9 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the exposure of sensitive data to unauthorized actors. An attacker can access sensitive data such as database credentials by exploiting this vulnerability. Workaround This vulnerability can be mitigated by...

7.5CVSS7.2AI score0.01201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the exposure of sensitive data to unauthorized actors. An attacker can access sensitive data such as database credentials by exploiting this vulnerability. Workaround This vulnerability can be mitigated by...

7.5CVSS7.2AI score0.01201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:31 p.m.3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the exposure of sensitive data to unauthorized actors. An attacker can access sensitive data such as database credentials by exploiting this vulnerability. Workaround This vulnerability can be mitigated by...

7.5CVSS7.2AI score0.01201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 12:10 p.m.2 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the logout handler in airflow-core/src/airflow/apifastapi/coreapi/routes/public/auth.py and the token validation path in airflow-core/src/airflow/apifastapi/auth/managers/baseauthmanager.py. An...

9.1CVSS5.8AI score0.00667EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/09 10:7 a.m.5 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the isVMLowLevelOptionForbidden function in lxd/project/limits/permissions.go. An attacker can set forbidden low-level VM configuration keys, such as raw.apparmor or raw.qemu.conf in a project th...

9.1CVSS5.4AI score0.00363EPSS
Exploits0References2
Total number of security vulnerabilities33588