35665 matches found
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Cross-site Scripting (XSS)
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper input neutralization during web page generation. An attacker can execute arbitrary script...
Server-side Request Forgery (SSRF)
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request process. An attacker can make arbitrary requests to internal or external syste...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the process of modifying dynamically-determin...
Open Redirect
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Open Redirect via the URL redirection process. An attacker can redirect users to malicious sites or poison cache by crafting...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the deserialization process. An attacker can...
Malicious Package
Overview auth-next-gen is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview authvaultx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization via the printInventory process. An attacker can access inventory and cost/order metadata from modules that should be restricted by leveraging...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the UploadFileRequest process, which fails to properly sanitize SVG content unless PHP finfo reports image/svg+xml, and the...
Open Redirect
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Open Redirect via the redirect-intended process. An attacker can redirect users to arbitrary external websites by manipulating the Referer header during the user edit flow...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the headercolor setting in the branding configuration. An attacker with superadmin privileges can inject arbitrary CSS that impacts authenticate...
XML Injection
Overview @logto/connector-saml is a SAML standard connector implementation. Affected versions of this package are vulnerable to XML Injection via the SAML assertion process. An attacker can inject arbitrary XML markup into signed SAML assertions by supplying crafted profile attributes, potentiall...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the Importer API endpoint when a user with CSV import capabilities and a valid API key can overwrite the createdby value of an import file. An...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the unaccepted-assets report delete endpoint. An attacker can remove pending checkout acceptance records belonging to...
Directory Traversal
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Directory Traversal via the image field during CSV import. An attacker can delete arbitrary files accessible to the server process by supplying a crafted path traversal stri...
CSV Injection
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to CSV Injection through the postActivityReport process. An attacker can cause arbitrary formula execution in spreadsheet software by injecting a specially crafted User-Agent...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization due to improper authorization in the legacy license checkin process. An attacker can reclaim license seats assigned to other users or assets by...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the ReverseProxy.Rewrite process when the internal authentication token is forwarded to backend services via the x-tsdproxy-auth-token header. An attacker can gain unauthorized management API access and escala...
Malicious Package
Overview type-elint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Missing Authentication for Critical Function
Overview clauster is a Self-hosted web UI for spawning and managing Claude Code remote-control bridges on a remote host. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the authentication process. An attacker can gain unauthorized access to the...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview prestashop/psfacetedsearch is a PrestaShop module that adds layered navigation filters. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the getFromCache function. An attacker can...
Malicious Package
Overview type-plint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview type-atob is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the auto-linking process by email, as the external identity provider does not verify ownership of the email address before linking accounts. An attacker can gain unauthorized access to a victim's local account...
Missing Authorization
Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Missing Authorization in the OAuth2 Token Exchange process. An attacker can gain elevated permissions by exchanging a low-privilege token for higher...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the session process. An attacker can bypass token expiration enforcement by providing a JWT without the exp claim, resulting in tokens from trusted issuers being accepted indefinitely. Remediation...
Improper Authentication
Overview prowler is a Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI,...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the BulkUsersController::destroy process. An attacker can gain unauthorized ability to soft-delete other non-admin users by sending a direct POST...
Missing Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization via the cancelbyadmin parameter in the asset request cancellation process. An attacker can cancel pending asset requests for other users by supplying a...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the markdown-textarea custom field processing. An attacker can execute arbitrary JavaScript in the context of another user by embedding a crafte...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the assetid field in the API update process. An attacker can gain unauthorized access to assets outside their company...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the API location creation process when both Full Multiple Companies Support and scopelocationsfmcs are enabled. An attacker can create a child...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the POST /api/v1/kits/kitid/licenses endpoint. An attacker can gain unauthorized access to and manipulate license object...
Improper Privilege Management
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Privilege Management via the UsersController::update process. An attacker can remove or downgrade another user's administrative or granular permissions by submittin...
Arbitrary Argument Injection
Overview mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl Affected versions of this package are vulnerable to Arbitrary Argument Injection via the kubectlget, kubectldescribe, and kubectldelete functions. An attacker can execute arbitrary commands by...
Authorization Bypass Through User-Controlled Key
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via...
Relative Path Traversal
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Relative Path Traversal via the displaySig process. An attacker can access arbitrary files outside the intended directory by supplying crafted input to the filename paramete...
Directory Traversal
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
External Control of File Name or Path
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
Protection Mechanism Failure
Overview safeinstall-cli is a Local-first CLI that blocks risky npm, pnpm, and bun installs before they run. Open source. Affected versions of this package are vulnerable to Protection Mechanism Failure through improper shell command parsing in the agent guard. An attacker can execute arbitrary...
Arbitrary File Upload
Overview notrinos/notrinos-erp is a web-based enterprise management system that is written in PHP and MySql. NotrinosERP contains all the required modules for running any small to medium size businesses. It supports multi users, multi currencies, multi languages. Affected versions of this package...