Lucene search
K

33588 matches found

Snyk
Snyk
added 2026/04/08 3:3 p.m.3 views

UNIX Symbolic Link (Symlink) Following

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following through the include, render, and layout directories, when symlinks are placed within a trusted...

8.2CVSS5.8AI score0.00396EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 3:0 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the replace filter when the memoryLimit option is enabled. An attacker can...

6CVSS5.8AI score0.00495EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 2:11 p.m.4 views

Sensitive Information in Resource Not Removed Before Reuse

Overview Affected versions of this package are vulnerable to Sensitive Information in Resource Not Removed Before Reuse in the JASPIAuthenticator. An attacker can gain unauthorized access or escalate privileges by exploiting residual ThreadLocal values that are not cleared after authentication...

9.1CVSS5.8AI score0.00529EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 2:11 p.m.3 views

Sensitive Information in Resource Not Removed Before Reuse

Overview Affected versions of this package are vulnerable to Sensitive Information in Resource Not Removed Before Reuse in the JASPIAuthenticator. An attacker can gain unauthorized access or escalate privileges by exploiting residual ThreadLocal values that are not cleared after authentication...

9.1CVSS5.8AI score0.00529EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 2:11 p.m.4 views

Sensitive Information in Resource Not Removed Before Reuse

Overview Affected versions of this package are vulnerable to Sensitive Information in Resource Not Removed Before Reuse in the JASPIAuthenticator. An attacker can gain unauthorized access or escalate privileges by exploiting residual ThreadLocal values that are not cleared after authentication...

9.1CVSS5.8AI score0.00529EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 1:47 p.m.7 views

Incorrect Default Permissions

Amendment This was deemed not a vulnerability. Overview ansible is a simple IT automation system. Affected versions of this package are vulnerable to Incorrect Default Permissions via excessive group-writable permissions on the /etc/passwd file during the build process. An attacker can gain full...

7.1CVSS6AI score0.00147EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 1:10 p.m.5 views

Improper Isolation or Compartmentalization

Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the check-in events endpoint. An attacker can access sensitive information related to all check-in events under the same organizer,...

8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 6:27 a.m.2 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matching 40+ patterns AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc. - Reads SSH keys, .npmrc,...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 6:27 a.m.2 views

Embedded Malicious Code

Overview @fairwords/loopback-connector-es is a Basic Elasticsearch datasource connector for Loopback. Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matchin...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 6:27 a.m.1 views

Embedded Malicious Code

Overview @fairwords/websocket is a WebSocket Client & Server Implementation for Node. Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matching 40+ patterns...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.12 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.4 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.5 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.5 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.3 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.4 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.4 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.6 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.8 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.3 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.4 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.3 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.6 views

Directory Traversal

Overview emmett is a The web framework for inventors Affected versions of this package are vulnerable to Directory Traversal via the RSGI static handler for internal assets. An attacker can access arbitrary files outside the intended directory by sending specially crafted requests containing...

9.1CVSS6.4AI score0.00495EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.1 views

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the WebUI JSON endpoints due to weaker permission checks than those enforced by the core API. An attacker can perform unauthorize...

5.4CVSS5.8AI score0.00219EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:17 a.m.5 views

Improper Verification of Cryptographic Signature

Overview lightrag-hku is a LightRAG: Simple and Fast Retrieval-Augmented Generation Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the validatetoken function. An attacker can gain unauthorized access to protected resources by crafting a JWT...

9.3CVSS5.8AI score0.00154EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:17 a.m.3 views

Improper Input Validation

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leadin...

6.3CVSS5.8AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:17 a.m.4 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which...

6.3CVSS5.8AI score0.00342EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:17 a.m.4 views

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:16 a.m.2 views

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal in the toSSG function when handling dynamic route parameters provided via ssgParams. An attacker can cause files to be written outside the intended output directory by...

7.5CVSS6.2AI score0.00532EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:16 a.m.11 views

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...

6.9CVSS6.3AI score0.00459EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:16 a.m.4 views

Directory Traversal

Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...

6.9CVSS6.3AI score0.00376EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:16 a.m.9 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification through the JWE decompression that has no upper limit for plaintext size. An attacker can exhaust system memory by sending specially crafted compressed tokens that decompres...

7.5CVSS6.6AI score0.0098EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/08 12:15 a.m.5 views

Not Failing Securely ('Failing Open')

Overview rack-session is a session implementation for Rack. Affected versions of this package are vulnerable to Not Failing Securely 'Failing Open' in the Rack::Session::Cookie function when it is configured with the secrets: option. An attacker can gain unauthorized access or escalate privileges...

9.8CVSS5.8AI score0.0027EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:14 a.m.42 views

SQL Injection

Overview drizzle-orm is a Drizzle ORM package for SQL databases Affected versions of this package are vulnerable to SQL Injection through the escapeName handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to...

9.8CVSS6.2AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:14 a.m.1 views

Insertion of Sensitive Information Into Sent Data

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the GET /sessions/me endpoint, which fails to enforce protectedFields...

5.3CVSS5.8AI score0.00193EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:12 a.m.5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the validate function in the /api/configuration/name configuration API endpoint. An attacker can gain unauthorized read access to sensitive configuration files outside the intended directory by submitting special...

6.9CVSS6.4AI score0.0032EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:12 a.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the validate function in the /api/configuration/name configuration API endpoint. An attacker can gain unauthorized read access to sensitive configuration files outside the intended directory by submitting special...

6.9CVSS6.4AI score0.0032EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:12 a.m.13 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Executrix utility when configuration-derived values, such as PLACENAME, are concatenated into shell commands without sufficient sanitization. An attacker can achieve arbitrary command execution by supplying...

8.6CVSS6AI score0.00563EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:12 a.m.3 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Executrix utility when configuration-derived values, such as PLACENAME, are concatenated into shell commands without sufficient sanitization. An attacker can achieve arbitrary command execution by supplying...

8.6CVSS6AI score0.00563EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:12 a.m.4 views

Uncontrolled Recursion

Overview fastfeedparser is a High performance RSS, Atom, JSON and RDF feed parser in Python Affected versions of this package are vulnerable to Uncontrolled Recursion through the parse function when processing HTML responses containing a tag, which leads to unbounded recursion without a redirect...

8.7CVSS5.8AI score0.00328EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:12 a.m.5 views

Cross-site Request Forgery (CSRF)

Overview rwsdk is a Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the server function dispatch process. An attacker can cause unauthorized state-changing operations by tricking a...

8.1CVSS5.8AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.4 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the downloadURL parameter processing in objects/aVideoEncoder.json.php. An attacker can access internal resources and exfiltrat...

7.1CVSS5.8AI score0.00206EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.5 views

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the downloadURLgifimage parameter in the GIF poster upload process. An attacker can access and disclose arbitrary server-local files by...

7.6CVSS6.3AI score0.00412EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.8 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the restreamerURL parameter of the restream log callback flow. An attacker can access internal network resources and retrieve...

7.1CVSS5.9AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.4 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of programme titles from user-supplied XML in the EPG feature. An attacker can execute arbitrary JavaScript in the browser...

5.4CVSS5.8AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.4 views

Insufficient Verification of Data Authenticity

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the ipn.php process. An attacker can repeatedly increase their wallet balance and renew subscriptions by...

7.1CVSS5.8AI score0.0017EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:7 a.m.6 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the logging process when verbose logging is enabled and per-node BGP peer passwords are configured via node annotations. An attacker can obtain sensitive credential information by...

5.6CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:7 a.m.9 views

Arbitrary Argument Injection

Overview skilleton is a Skills skeleton: deterministic AI skill dependency manager Affected versions of this package are vulnerable to Arbitrary Argument Injection via improper handling of repository and path input in the normalizeRepoUrl function. An attacker can cause unsafe or inefficient...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:7 a.m.1 views

Timing Attack

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Timing Attack via the login endpoint. An attacker can determine whether a username or email exists in the database by...

6.9CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:6 a.m.5 views

Cross-site Scripting (XSS)

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the custom SanitizationPolicy if configured with dropforeignnamespaces=False or allowlisted foreign elements such as MathML or SVG or raw-text...

4.7CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities33588