Lucene search
K

35669 matches found

Snyk
Snyk
•added 2026/07/03 10:18 p.m.•3 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to ambiguity in the HMAC validation of signed URLs used for artifact access. An attacker can gain unauthorized read access to artifacts across repositories and write to upload-state...

9.6CVSS6AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 10:18 p.m.•4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to ambiguity in the HMAC validation of signed URLs used for artifact access. An attacker can gain unauthorized read access to artifacts across repositories and write to upload-state...

9.6CVSS6AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 10:18 p.m.•4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to ambiguity in the HMAC validation of signed URLs used for artifact access. An attacker can gain unauthorized read access to artifacts across repositories and write to upload-state...

9.6CVSS6AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 10:18 p.m.•4 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via a malformed SSH sub-verb in the authentication process. An attacker can gain unauthorized read access to private repositories by crafting specific SSH requests. Remediation Upgrade gitea.dev/cmd to version...

7.7CVSS6AI score0.0031EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 10:18 p.m.•5 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via a malformed SSH sub-verb in the authentication process. An attacker can gain unauthorized read access to private repositories by crafting specific SSH requests. Remediation Upgrade github.com/go-gitea/gitea/c...

7.7CVSS6AI score0.0031EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 8:36 p.m.•6 views

Deserialization of Untrusted Data

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialization process of the Lambda layer when the safemode safeguard is not explicitly enabled. An attacker can execute...

9.8CVSS7.5AI score0.00397EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:14 p.m.•8 views

Double Free

Overview Affected versions of this package are vulnerable to Double Free in the ExportToBlob function of the PLY Model Handler component. An attacker can cause memory corruption or application crashes by triggering a double free condition remotely. Remediation There is no fixed version for assimp...

6.5CVSS6.7AI score0.00233EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 7:13 p.m.•6 views

Improper Input Validation

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Improper Input Validation through the host-validation process. An attacker can cause the server to...

6.9CVSS6AI score0.00308EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 7:13 p.m.•3 views

Improper Input Validation

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Improper Input Validation through the host-validation process. An attacker can cause t...

6.9CVSS6AI score0.00308EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 6:16 p.m.•5 views

Cross-site Request Forgery (CSRF)

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the open-editor and invalidate endpoints. An attacker can open...

5.3CVSS6AI score0.00116EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 6:16 p.m.•3 views

Cross-site Request Forgery (CSRF)

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the open-editor and invalidate endpoints. An...

5.3CVSS6AI score0.00116EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 4:6 p.m.•7 views

Malicious Package

Overview ts-node-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 4:6 p.m.•6 views

Malicious Package

Overview web-api-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 4:6 p.m.•8 views

Malicious Package

Overview typescript-util-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 4:6 p.m.•5 views

Malicious Package

Overview api-ts-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 4:6 p.m.•6 views

Malicious Package

Overview api-node-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 4:0 p.m.•4 views

Malicious Package

Overview aldermorrgan is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:59 p.m.•5 views

Malicious Package

Overview @sql-access/nodesql is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:44 p.m.•4 views

Malicious Package

Overview @lodash-en/lodash-en is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:37 p.m.•3 views

Insufficient Granularity of Access Control

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the group retrieval due to an improper conditional...

4.3CVSS6.1AI score0.00172EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:37 p.m.•4 views

Malicious Package

Overview decode-sdks is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:37 p.m.•7 views

Malicious Package

Overview @jacobtan/decode-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:21 p.m.•3 views

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the ClientResource component in the admin REST API when Fine-Grained Admin...

5.9CVSS6.1AI score0.00146EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 3:4 p.m.•4 views

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization in the RoleContainerResource process when FGAP v2 is enabled. An attacker can access...

4.3CVSS6.1AI score0.00172EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 12:17 p.m.•5 views

Missing Origin Validation in WebSockets

Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints whe...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 12:17 p.m.•5 views

Missing Origin Validation in WebSockets

Overview @theia/terminal is a Theia - Terminal Extension Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints when origin validation is bypassed due to missing or manipulated headers. An attacker c...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 12:17 p.m.•13 views

Server-side Request Forgery (SSRF)

Overview @theia/request is a Theia Proxy-Aware Request Service Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request-service process. An attacker can access sensitive internal resources by sending crafted URLs to the backend, which then performs...

8.5CVSS5.9AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 12:17 p.m.•6 views

Server-side Request Forgery (SSRF)

Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request-service process. An attacker can access sensitive...

8.5CVSS6AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 11:17 a.m.•4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Lucene.Net.Replicator process. An attacker can access arbitrary files on the server by submitting crafted requests containing path traversal sequences. Details A Directory Traversal attack also known as path...

8.9CVSS6.5AI score0.00703EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 9:19 a.m.•6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Lucene.Net.Replicator process. An attacker can write arbitrary files to the client system by sending specially crafted data from a malicious server. Details A Directory Traversal attack also known as path...

8.9CVSS6.5AI score0.00616EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 9:17 a.m.•4 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the PatternParser process. An attacker can access sensitive files or interact with internal systems by submitting crafted XML data that triggers external entity resolution. Details XXE Injection is ...

9.8CVSS6AI score0.00328EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 8:19 a.m.•7 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the omission of SSH host verification options in the --proto-default process. An attacker can intercept or impersonate an SSH server by exploiting the lack of host verification during connection establishmen...

7.5CVSS6AI score0.00574EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•9 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the curleasycleanup process after configuring an HTTP/2 stream-dependency tree using CURLOPTSTREAMDEPENDS or CURLOPTSTREAMDEPENDSE and invoking curleasyreset. An attacker can cause the application to access freed memor...

9.8CVSS6.2AI score0.00891EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•7 views

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the STARTTLS process. An attacker can compromise the security of the TLS connection by exploiting a scenario where a new transfer reuses an existing live connection despite a mismatch in TLS...

9.1CVSS6AI score0.0052EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•5 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the connection reuse process. An attacker can gain unauthorized access to resources or services by exploiting the reuse of an authenticated connection intended for a different service. Remediation Upgrade libcur...

6.9CVSS6AI score0.00543EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•8 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of an upper bound on memory allocation for unacknowledged WebSocket PING frames. An attacker can cause memory exhaustion by sending a rapid sequence of PING messages from a malicious server. Details...

8.7CVSS6AI score0.0086EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•7 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the Authorization header handling process. An attacker can cause sensitive authentication information to be sent to an unintended origin by reusing a handle for transfers to different HTTP origins...

9.8CVSS6AI score0.01064EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•10 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the udpreceive process. An attacker can cause the client to enter a busy-loop and become unresponsive by continuously sending zero-length UDP datagrams from a malicious HTTP/3 server. Remediation Upgrade libcurl to...

8.7CVSS6.2AI score0.0101EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•6 views

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the connection pool process. An attacker can bypass intended certificate validation by reusing a handle that initially used the default native CA trust and then switching it to custom CA...

9.1CVSS6AI score0.0061EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•21 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to the improper clearing of the CURLOPTREFERER option. An attacker can cause sensitive information to be disclosed by forcing the reuse and transmission of a previous referer header ...

7.5CVSS5.9AI score0.00652EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•8 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the CURLMOPTSOCKETFUNCTION callback when curleasypause is called. An attacker can execute arbitrary code or cause a denial of service by triggering the use of a dangling pointer after memory has been freed. Remediation...

8.8CVSS6.2AI score0.00494EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•9 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the cookie parsing process. An attacker can cause unauthorized cookies to be set and transmitted to unrelated third-party domains by crafting HTTP responses that exploit improper doma...

9.1CVSS5.9AI score0.00649EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•8 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the process that handles .netrc credential retrieval when a URL is specified with a username but without a password. An attacker can gain unauthorized access to sensitive information by exploiting...

9.1CVSS6AI score0.0061EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•8 views

Double Free

Overview Affected versions of this package are vulnerable to Double Free in the GSASL context cleanup process. An attacker can cause arbitrary code execution or a denial of service by triggering the double-free condition. Remediation Upgrade libcurl to version 8.21.0 or higher. References - Curl...

9.8CVSS6.6AI score0.0108EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•6 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation when the CURLOPTSSLSESSIONIDCACHE is enabled and the CURLSSLOPTEARLYDATA option is set in CURLOPTSSLOPTIONS. An attacker can intercept and obtain sensitive information by impersonating a server and...

8.3CVSS6AI score0.00408EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•5 views

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to incomplete matching of mTLS configuration options during connection reuse in the connection process. An attacker can cause connections to be reused with incorrect client certificate...

9.3CVSS6.1AI score0.00368EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•9 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the CURLOPTSSHKEYFUNCTION process. An attacker can intercept or manipulate data by presenting a server host key type that does not match the recorded key type in the knownhosts file, which is improperl...

8.3CVSS6AI score0.00508EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:16 a.m.•8 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the process responsible for clearing proxy authentication credentials. An attacker can gain unauthorized access to sensitive proxy credentials by leveraging subsequent transfers that reuse stale authentication...

9.8CVSS6AI score0.01064EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/03 8:16 a.m.•8 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the process of reusing a handle for sequential transfers with environment-variable proxy configuration. An attacker can cause sensitive authentication headers to be sent to an...

9.1CVSS6AI score0.00752EPSS
Exploits1References2
Snyk
Snyk
•added 2026/07/02 10:18 p.m.•4 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Total number of security vulnerabilities35669