35565 matches found
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the POST /api/v1/kits/kitid/licenses endpoint. An attacker can gain unauthorized access to and manipulate license object...
Improper Privilege Management
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Privilege Management via the UsersController::update process. An attacker can remove or downgrade another user's administrative or granular permissions by submittin...
Authorization Bypass Through User-Controlled Key
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via...
Relative Path Traversal
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Relative Path Traversal via the displaySig process. An attacker can access arbitrary files outside the intended directory by supplying crafted input to the filename paramete...
Directory Traversal
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
External Control of File Name or Path
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
Protection Mechanism Failure
Overview safeinstall-cli is a Local-first CLI that blocks risky npm, pnpm, and bun installs before they run. Open source. Affected versions of this package are vulnerable to Protection Mechanism Failure through improper shell command parsing in the agent guard. An attacker can execute arbitrary...
Arbitrary File Upload
Overview notrinos/notrinos-erp is a web-based enterprise management system that is written in PHP and MySql. NotrinosERP contains all the required modules for running any small to medium size businesses. It supports multi users, multi currencies, multi languages. Affected versions of this package...
Deserialization of Untrusted Data
Overview BabelDOC is a Yet Another Document Translator Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the loaddata process. An attacker can execute arbitrary code with the privileges of the affected process by crafting a PDF that injects an absolute path...
Origin Validation Error
Overview Affected versions of this package are vulnerable to Origin Validation Error in the CheckAuth process. An attacker can gain unauthorized administrative access by sending requests from any Chrome or Chromium browser extension, allowing them to exfiltrate data, inject malicious scripts, and...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the getDynamicIcon process. An attacker can retrieve sensitive database content by sending crafted requests to the unauthenticated endpoint with a valid block ID and specially crafted...
Improper Handling of Highly Compressed Data (Data Amplification)
Overview credsweeper is a Credential Sweeper Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification through improper enforcement of size limits during recursive scanning of compressed or archived files. An attacker can cause excessive...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the renderSnippet process. An attacker can execute arbitrary JavaScript code and potentially achieve remote code execution by injecting a crafted CSS snippet containing a tag followed by...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the GetAssetAbsPath process. An attacker can access sensitive files by sending specially crafted HTTP requests with double URL-encoded path segments to the /assets/path endpoint in publish...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the GetAssetAbsPath process. An attacker can access sensitive files by sending specially crafted HTTP requests with double URL-encoded path segments to the /assets/path endpoint in publish...
Malicious Package
Overview polipoli-pak is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Allocation of Resources Without Limits or Throttling
Overview org.webjars.npm:adm-zip is a JavaScript implementation for zip data compression for NodeJS. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in zipEntry.js and entryHeader.js, which size a Buffer.alloc call directly from the...
Allocation of Resources Without Limits or Throttling
Overview adm-zip is a JavaScript implementation for zip data compression for NodeJS. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in zipEntry.js and entryHeader.js, which size a Buffer.alloc call directly from the uncompressed-size field...
Allocation of Resources Without Limits or Throttling
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the forceResize process in fallbackUrl, which passes unbounded dimension parameters t...
User Impersonation
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to User Impersonation via manipulation of the Host header. An attacker can gain unauthorized access to the /v1 proxy and trigger server-side requests to internal or cloud-metadata...
Missing Authorization
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Missing Authorization via the rewrite process for the /codex path. An attacker can gain unauthorized access to backend LLM provider credentials and trigger upstream provider cal...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the SSLClient and Client processes in HTTPS mode when connecting to an IP-literal host with server certificate verification enabled. An attacker can intercept and manipulate encrypted traffic by...
Improper Authentication
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Improper Authentication via the dashboardGuard.js process. An attacker can gain unauthorized access to sensitive API endpoints by sending requests through a same-host reverse...
Improper Handling of Highly Compressed Data (Data Amplification)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification via the Installer::unZip process. An attacker can cause a system crash or exhau...
Server-side Request Forgery (SSRF)
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
Incorrect Authorization
Overview FlaskBB is an A classic Forum Software in Python using Flask. Affected versions of this package are vulnerable to Incorrect Authorization via manipulation of the topicid parameter in batch requests. An attacker can perform unauthorized actions such as locking, unlocking, deleting, or...
Incorrect Comparison
Overview FlaskBB is an A classic Forum Software in Python using Flask. Affected versions of this package are vulnerable to Incorrect Comparison via the bulkdelete process. An attacker can remove all built-in authorization groups by sending specially crafted JSON data that exploits a type mismatch...
Allocation of Resources Without Limits or Throttling
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the MulterUploadMiddleware in the data-table upload path. An authenticated user can repeatedly upload CSV files to the data-table endpoin...
Protection Mechanism Failure
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Server-side Request Forgery (SSRF)
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Arbitrary Code Injection
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Arbitrary Code Injection
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary Code Injection via the offsetGet filter. An attacker can access sensitive configuration data, including secrets such as SMTP...
Protection Mechanism Failure
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Protection Mechanism Failure in the AgentFlow.resolvepydanticclass process. An attacker can execute arbitrary Python code with the privilege...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through the image process in open-sse/translator/concerns/image.js. An attacker can access internal-only HTTP services by...
Directory Traversal
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Directory Traversal via the agent.start process. An attacker can overwrite files outside the intended project directory by supplying a...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Directory Traversal
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Directory Traversal in the concatenatePaths function. An attacker can read arbitrary files outside the intended directory by crafting image paths in HTM...
Directory Traversal
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Directory Traversal in the concatenatePaths function. An attacker can read arbitrary files outside the intended directory by crafting image paths in HTM...
Information Exposure
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Information Exposure due to inconsistent filtering of active status and publication date in public API endpoints. An attacker can access non-public FAQ...
Information Exposure
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Information Exposure due to inconsistent filtering of active status and publication date in public API endpoints. An attacker can access non-public FAQ...
Command Injection
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Improper Handling of Highly Compressed Data (Data Amplification)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the extract function of ZipArchiver due to missing limits on uncompressed...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Missing Authorization
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization via the DELETE dependency route, which accepts either endpoint of a dependency edge and validates permissions only against th...
Missing Authorization
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Cross-site Scripting (XSS)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the processUploadedFile function in the media upload API endpoint. An attacker can execute arbitrary JavaScript i...
Malicious Package
Overview higherlogic-ocfe is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @att-ebiz/abs-components-bc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @genie-auth/config is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...