35547 matches found
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the improper handling of HTTP headers in the process. An attacker can manipulate internal Salesforce operation parameters, such as SOQL...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the DaprPubSubConsumer process. An attacker can redirect or exfiltrate messages and bypass intended routing and topic-level access controls by publishing specially crafted CloudEvents with manipulated...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the DaprPubSubConsumer process. An attacker can redirect or exfiltrate messages and bypass intended routing and topic-level access controls by publishing specially crafted CloudEvents with manipulated...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the handling of gridfs. HTTP headers, which are not properly filtered and can be set by an HTTP client to control the GridFS operation performed by the...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the irc.sendTo header and other irc. headers in HTTP requests. An attacker can redirect outgoing IRC messages to arbitrary channels or users by injecting...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the KeycloakSecurityPolicy process. An attacker can gain unauthorized access to protected routes by supplying any non-null value in the Authorization: Bearer header, which is accepted without cryptographic...
Information Exposure
Overview org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns. Affected versions of this package are vulnerable to Information Exposure in the muteException option handling of the HTTP consumer. An attacker can obtain...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure in the muteException option handling of the HTTP consumer. An attacker can obtain sensitive internal information, such as Java stack traces containing credentials, hostnames, IP addresses, filesystem paths, and...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebsocketConsumer.service process. An attacker can redirect server-side HTTP requests to arbitrary destinations and access sensitive environment variables, application properties, or vault secret...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebsocketConsumer.service process. An attacker can redirect server-side HTTP requests to arbitrary destinations and access sensitive environment variables, application properties, or vault secret...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the mapping of externally-supplied message user-headers into the Exchange without applying a header filtering process. An attacker can manipulate internal control headers by injecting specially craft...
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' due to the lack of an inbound filter rule in Sns2HeaderFilterStrategy. An attacker cannot manipulate internal headers o...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the mapping of externally-supplied message user-headers into the Exchange without applying a header filtering process. An attacker can manipulate internal control headers by injecting specially craft...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the mapping of externally-supplied message user-headers into the Exchange without applying a header filtering process. An attacker can manipulate internal control headers by injecting specially craft...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebsocketConsumer.service process. An attacker can redirect server-side HTTP requests to arbitrary destinations and access sensitive environment variables, application properties, or vault secret...
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' due to the lack of an inbound filter rule in Sns2HeaderFilterStrategy. An attacker cannot manipulate internal headers o...
Command Injection
Overview react-dev-utils is an includes some utilities used by Create React App. Affected versions of this package are vulnerable to Command Injection via the startBrowserProcess function in react-dev-utils/openBrowser.js. An attacker can execute arbitrary operating system commands by supplying...
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the client.go process of the Docker API component. An attacker can escape the intended sandbox restrictions by sending crafted requests to the affected API endpoint. Remediation A fix was pushed into the...
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the client.go process of the Docker API component. An attacker can escape the intended sandbox restrictions by sending crafted requests to the affected API endpoint. Remediation A fix was pushed into the...
Authorization Bypass Through User-Controlled Key
Overview langgraph is a Building stateful, multi-actor applications with LLMs Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a key collision in the defaultcachekey and freeze functions of langgraph/internal/cache.py, where freeze reduce...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MethodRouter.Handle process of the WebSocket RPC handler. An attacker can gain unauthorized access to sensitive information or perform unauthorized actions by exploiting improper authorization checks...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MethodRouter.Handle process of the WebSocket RPC handler. An attacker can gain unauthorized access to sensitive information or perform unauthorized actions by exploiting improper authorization checks...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MethodRouter.Handle process of the WebSocket RPC handler. An attacker can gain unauthorized access to sensitive information or perform unauthorized actions by exploiting improper authorization checks...
Improper Validation of Consistency within Input
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Consistency within Input due to improper validation of the emailverified claim in the...
UNIX Symbolic Link (Symlink) Following
Overview mcp-markdownify-server is a Model Context Protocol MCP server that converts various file types and web content to Markdown format. It provides a set of tools to transform PDFs, images, audio files, web pages, and more into easily readable and shareable Markdown text. Affected versions of...
Insecure Randomness
Overview mcp-markdownify-server is a Model Context Protocol MCP server that converts various file types and web content to Markdown format. It provides a set of tools to transform PDFs, images, audio files, web pages, and more into easily readable and shareable Markdown text. Affected versions of...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the decodeFromCompressedByteBuffer function due to improper handling of the lengthOfCompressedContents argument. An attacker can cause excessive memory allocation by supplying a crafted...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the decodeFromByteBuffer function due to improper handling of the numberOfSignificantValueDigits argument. An attacker can cause excessive memory consumption by supplying crafted input...
Malicious Package
Overview @petitcode/eb-retry is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallet...
Malicious Package
Overview @tinyfox/shapecheck is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallet...
Malicious Package
Overview @thymelab/logfx is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallets,...
Malicious Package
Overview paperclip2 is a malicious package. This package contains malicious code and consists solely of a package.json file, with no JavaScript files present. A one-liner embedded in its postinstall script spawns a reverse shell that connects to a remote host on port 7007. Users who have installe...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...