Lucene search
K

35669 matches found

Snyk
Snyk
added 2026/07/02 10:18 p.m.4 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

6CVSS5.9AI score0.00154EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.4 views

Incorrect Privilege Assignment

Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the assignRoleToUser and assignRoleToGroup handlers. An attacker can gain unauthorized administrative privileges by assigning high-privilege roles, such as the built-in admin role, to themselves or...

8.8CVSS6AI score0.00389EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Regular Expression Denial of Service (ReDoS)

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

7.1CVSS5.9AI score0.00305EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

5CVSS6.1AI score0.0018EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the OIDC discovery process when the X-Forwarded-Host header is not validated and no allowed-hosts list is configured. An attacker can manipulate the issuer and JWKS URI in the discovery document by supplying a...

8.2CVSS6AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Inefficient Algorithmic Complexity

Overview pathway is a Pathway Live Data Framework is a data processing framework which takes care of streaming data updates for you. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the document store process. An attacker can exhaust system resources by...

8.7CVSS6AI score0.0047EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

7.1CVSS6.1AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.7 views

Server-side Request Forgery (SSRF)

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

8.3CVSS6AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.8 views

HTTP Request Smuggling

Overview webrick is a HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. Affected versions of this package are vulnerable to HTTP Request Smuggling in the request process. An attacker can bypass request boundaries and interfere with HTTP...

6.9CVSS6AI score0.00352EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.5 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the ParseObjectContext and parseArray functions due to recursive parsing of nested PDF objects without enforcing a maximum nesting depth. An attacker can cause resource exhaustion and application unavailability...

8.7CVSS6AI score0.00451EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.4 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the ParseObjectContext and parseArray functions due to recursive parsing of nested PDF objects without enforcing a maximum nesting depth. An attacker can cause resource exhaustion and application unavailability...

8.7CVSS6AI score0.00451EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 9:14 p.m.7 views

External Control of File Name or Path

Overview recce is an Environment diff tool for dbt Affected versions of this package are vulnerable to External Control of File Name or Path via the query run API when configured with a DuckDB-backed project. An attacker can access or modify local files accessible to the server process, potential...

9.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 9:13 p.m.7 views

User Impersonation

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to User Impersonation via the isLocalRequest function. An attacker can gain unauthorized access to restricted routes and interact with child processes by spoofing the Host and Orig...

8.3CVSS6AI score0.00058EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:56 p.m.7 views

Use of Hard-coded Credentials

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Use of Hard-coded Credentials in the SECRET assignment process. An attacker can gain unauthorized access to the dashboard and API by forging a valid authtoken cookie using the...

9.8CVSS6AI score0.0019EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/02 8:55 p.m.6 views

Missing Authorization

Overview kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Missing Authorization in the /init-db/ process. An attacker can access administrative setup functionality by sending requests to this endpoint after initial use. This is only exploitable if the...

6.9CVSS5.9AI score0.00048EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:47 p.m.5 views

Insufficient Verification of Data Authenticity

Overview simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the processing of SAML responses wh...

7.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:46 p.m.4 views

Improper Handling of Windows DATA Alternate Data Stream

Overview Affected versions of this package are vulnerable to Improper Handling of Windows DATA Alternate Data Stream in the FilePage process on Windows systems when handling filenames with NTFS-equivalent suffixes such as ::$DATA, a trailing dot, or a trailing space. An attacker can obtain the ra...

8.7CVSS6AI score0.00077EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:44 p.m.8 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through the add and remove endpoints for timesheet favorites. An attacker can manipulate another user's favorite bookmark state by referencing the victim's timesheet identifier, allowing unauthorized addition or...

5.3CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 8:38 p.m.5 views

Improper Authentication

Overview fast-mcp-telegram is a Multi-tenant Telegram gateway for AI agents — HTTP+stdio transport, 8 agent-optimized tools, MTProto User API Affected versions of this package are vulnerable to Improper Authentication via the SessionFileTokenVerifier.verifytoken process. An attacker can gain...

9.4CVSS6AI score0.00423EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/02 8:27 p.m.7 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' through the XPath Transform process. An attacker can cause the application to become unresponsive or crash by sending specially crafted messages that exploit thi...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:27 p.m.5 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' through the XPath Transform process. An attacker can cause the application to become unresponsive or crash by sending specially crafted messages that exploit thi...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:25 p.m.5 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within t...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:25 p.m.6 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within t...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:23 p.m.6 views

Arbitrary Argument Injection

Overview linuxfabrik-lib is a Python libraries used in various Linuxfabrik projects, including the 'Linuxfabrik Monitoring Plugins' project. Affected versions of this package are vulnerable to Arbitrary Argument Injection in the configuration of the sudoers file, which allows arbitrary arguments ...

8.4CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:20 p.m.4 views

Regular Expression Denial of Service (ReDoS)

Overview @asymmetric-effort/nogginlessdom is an A zero-dependency testing framework with comprehensive test runner, assertions, DOM simulation, and mocking, built on node:test and node:assert Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:19 p.m.6 views

Directory Traversal

Overview @asymmetric-effort/nogginlessdom is an A zero-dependency testing framework with comprehensive test runner, assertions, DOM simulation, and mocking, built on node:test and node:assert Affected versions of this package are vulnerable to Directory Traversal via the matchFileSnapshot functio...

8.7CVSS6.6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:17 p.m.11 views

Missing Authorization

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Missing Authorization via the POST /api/tunnel/tailscale-install route handler, which accepts a JSON body containing a sudoPassword field and pipes it, along with the contents o...

9.8CVSS6.2AI score0.01372EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/02 8:16 p.m.7 views

Use of GET Request Method With Sensitive Query Strings

Overview @nuxt/ui is an A UI Library for Modern Web Apps, powered by Vue & Tailwind CSS. Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the UForm and UAuthForm components when the server-side rendered form omits the method attribute...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:13 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview jsonata is a JSON query and transformation language Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the $toMillis function. An attacker can cause resource exhaustion by providing specially crafted inputs that trigger excessive backtracki...

8.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:13 p.m.3 views

Regular Expression Denial of Service (ReDoS)

Overview org.webjars.npm:jsonata is a JSON query and transformation language Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the $toMillis function. An attacker can cause resource exhaustion by providing specially crafted inputs that trigger...

8.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:3 p.m.5 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the actionMoveFolder process. An attacker can remove destination folders and their contents without having delete permissions on the destination by initiating a force...

7.1CVSS6AI score0.00207EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:3 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the newAttributes parameter in the bulk duplicate process. An attacker can overwrite existing elements...

7.1CVSS6AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:35 p.m.8 views

Missing Authorization

Overview @grackle-ai/plugin-core is a Core plugin for Grackle — gRPC handlers, reconciliation phases, and event subscribers Affected versions of this package are vulnerable to Missing Authorization due to inconsistent enforcement of authorization checks in the tool layer. An attacker can gain...

8.8CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/02 7:35 p.m.6 views

Missing Authorization

Overview @grackle-ai/auth is an Authentication and authorization primitives for Grackle Affected versions of this package are vulnerable to Missing Authorization due to inconsistent enforcement of authorization checks in the tool layer. An attacker can gain unauthorized access to perform cross-ta...

8.8CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/02 7:35 p.m.7 views

Missing Authorization

Overview @grackle-ai/mcp is a MCP Model Context Protocol server for Grackle — translates MCP tool calls to ConnectRPC Affected versions of this package are vulnerable to Missing Authorization due to inconsistent enforcement of authorization checks in the tool layer. An attacker can gain...

8.8CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/02 7:23 p.m.8 views

Improper Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Improper Authorization through the Mysqls.add process. An attacker can create databases and users on unauthorized MySQL servers by supplying a disallowed server index in the API...

5.3CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:23 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the customeremail.php process. An attacker can access other users' allowed sender aliases by supplying arbitrary senderid values in...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:22 p.m.4 views

Command Injection

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Command Injection via the rmrf, mv, and cp functions. An attacker can execute arbitrary commands by supplying specially crafted file names containing shell...

8.8CVSS6.3AI score0.00072EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:20 p.m.5 views

Directory Traversal

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Directory Traversal via the prepareReceiveFile and getUniqueFilePath processes. An attacker can write files to arbitrary locations on the user's filesystem by...

7.1CVSS6.5AI score0.00034EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:18 p.m.4 views

Inefficient Algorithmic Complexity

Overview @conform-to/dom is an A set of opinionated helpers built on top of the Constraint Validation API Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseSubmission process. An attacker can cause excessive CPU consumption by submitting forms with...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:16 p.m.6 views

Arbitrary Argument Injection

Overview @grackle-ai/powerline is a gRPC PowerLine server for Grackle AI agent integration Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can execute arbitrary commands as the...

8.8CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 7:16 p.m.6 views

Arbitrary Argument Injection

Overview @grackle-ai/runtime-sdk is a Grackle runtime SDK — interfaces, base classes, shared utilities, and runtime installer Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can...

8.8CVSS6.2AI score
Exploits0References3
Total number of security vulnerabilities35669