Lucene search
K

35670 matches found

Snyk
Snyk
added 2026/07/02 7:16 p.m.6 views

Arbitrary Argument Injection

Overview @grackle-ai/runtime-sdk is a Grackle runtime SDK — interfaces, base classes, shared utilities, and runtime installer Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can...

8.8CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 7:12 p.m.5 views

Inadequate Encryption Strength

Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength in the verify process. An attacker can gain unauthorized access and forge arbitrary claims by submitting tokens signed with an empty or null key, which are incorrectly accepted as valid signatures. This is...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:9 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the inline parameter in the file download process. An attacker can execute arbitrary scripts in the context of the application's web origin by uploading a crafted HTML file and convincing a victim to open a...

3.7CVSS5.8AI score0.00028EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:9 p.m.3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the public web-client endpoint for partial ZIP downloads of a browsable share. An attacker can access files outside the intended shared directory by supplying crafted file entries whose canonical paths begin with...

8.2CVSS6.5AI score0.00057EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:9 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the public web-client endpoint for partial ZIP downloads of a browsable share. An attacker can access files outside the intended shared directory by supplying crafted file entries whose canonical paths begin with...

8.2CVSS6.5AI score0.00057EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:8 p.m.4 views

Cross-site Scripting (XSS)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Cross-site Scripting XSS in the renderToString process. An attacker can inject malicious CSS expressions by bypassing the...

6.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:8 p.m.4 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the secureFetch process. An attacker can access internal or unintended network resources b...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:7 p.m.3 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the secure-fetch process. An attacker can cause memory exhaustion by supplying a very...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:7 p.m.2 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to incomplete validation in the secure-fetch process. An attacker can access internal...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:3 p.m.5 views

Information Exposure

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Information Exposure in the console.warn process. An attacker can gain insight into internal framework state, such as queue...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:0 p.m.4 views

Improper Neutralization of Special Elements in Data Query Logic

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the gql function. An attacker can inject unauthorized...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:59 p.m.4 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the assertSecureUrl function. An attacker can bypass HTTPS validation by supplying a...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:49 p.m.4 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization through the actionDeleteFolder process. An attacker can remove assets belonging to other users by exploiting insufficient permission checks during folder deletion...

7.7CVSS5.9AI score0.00249EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:48 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the actionReplaceFile process. An attacker can delete assets in unauthorized volumes by supplying both assetId and sourceAssetId without...

5.4CVSS6AI score0.00265EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:47 p.m.4 views

Access Control Bypass

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass via the entries/move-to-section process. An attacker can relocate entries into unauthorized sections by exploiting insufficient permission checks, allowing them to bypas...

6CVSS6AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:45 p.m.4 views

Improper Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improper Authorization in the entries/save-entry process. An attacker can reassign content authorship to another user without proper authorization by submitting crafted requests containing...

7.6CVSS6AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 5:51 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the displaymap parser function when unescaped user input is passed to the overlays parameter. An attacker can execute arbitrary JavaScript in the context of users viewing the affected page by injecting...

8.8CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 5:42 p.m.4 views

SQL Injection

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to SQL Injection via insufficient filtering in the validatequery process. An attacker can access arbitrary files on the database host and perform filesystem reconnaissance by injectin...

8.7CVSS6.2AI score0.00686EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/02 5:38 p.m.5 views

Relative Path Traversal

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Relative Path Traversal through improper validation of user-supplied file paths in the ReadFileTool and WriteFileTool components. An attacker can access or modify files outside the...

8.4CVSS6AI score0.00184EPSS
Exploits1References3
Snyk
Snyk
added 2026/07/02 5:33 p.m.3 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the UploadKerberosHub process. An attacker can obtain sensitive authentication credentials by configuring a malicious or compromised huburi that issues a cross-host redirect, causing the client t...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 5:15 p.m.4 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the processing of requests to virtual hosts configured with both tls.enableFallbackCertificate and jwtProviders. An attacker can bypass authentication controls by sending requests without a valid token...

8.3CVSS6AI score0.00023EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 3:26 p.m.5 views

Missing Authentication for Critical Function

Overview mcp-memory-service is an Open-source persistent memory for AI agent pipelines and Claude. REST API + semantic search + knowledge graph + autonomous consolidation. Self-host, zero cloud cost. Affected versions of this package are vulnerable to Missing Authentication for Critical Function ...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 2:56 p.m.8 views

Malicious Package

Overview animatecss-postcss-plugin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 2:55 p.m.11 views

Malicious Package

Overview tailwind-animates is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:50 p.m.5 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation...

6.9CVSS6AI score0.00455EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:50 p.m.4 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation The...

6.9CVSS6AI score0.00455EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:50 p.m.3 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation The...

6.9CVSS6AI score0.00455EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:46 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation There is no fixed...

6.9CVSS6AI score0.00516EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:46 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation Upgrade...

6.9CVSS6AI score0.00516EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:46 p.m.5 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation There is no fixed...

6.9CVSS6AI score0.00516EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:17 p.m.8 views

Malicious Package

Overview cache-section-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:17 p.m.9 views

Malicious Package

Overview db-connector-log is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:17 p.m.11 views

Malicious Package

Overview db-convertor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:17 p.m.9 views

Malicious Package

Overview db-plog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:7 p.m.10 views

Malicious Package

Overview tailwind-typography-stylecss is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 1:2 p.m.7 views

Malicious Package

Overview @modhamanish/rn-mm-template is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 12:20 p.m.7 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GetEndpoints process. An attacker can cause the server to allocate excessive memory by sending a GetEndpointsRequest with an extremely large endpointUrl field, delivered in...

7.5CVSS6AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 9:48 a.m.14 views

Malicious Package

Overview vitest-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 9:12 a.m.5 views

Missing Authorization

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace A...

8.8CVSS7.3AI score0.00348EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/02 9:12 a.m.7 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace API endpoints. An authenticated attacker can bypass access controls by sending trace read, search, delete, update, linking, or assessment requests for experiments they do...

8.8CVSS7.2AI score0.00348EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/02 8:13 a.m.7 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the FindServers process. An attacker can cause the server to allocate excessive memory by sending a FindServersRequest with an unbounded serverUris field, delivering a very large...

8.7CVSS6.2AI score0.00388EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:33 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the parser when processing JSON input. An attacker can cause excessive CPU and memory consumption by submitting very large or deeply nested JSON...

8.7CVSS6AI score0.00366EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 11:15 p.m.6 views

Cross-site Scripting (XSS)

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the dynamic image URL generator view within the admin interface. An attacker with a limited-permission editor account can execute arbitrary...

8.5CVSS5.8AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 11:15 p.m.8 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the chosen endpoint for Documents and Images, which incorrectly lists items for which the user has not...

5.3CVSS5.9AI score0.00162EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 11:15 p.m.3 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the simpletranslation process. An attacker can access and create translations for pages without the...

5.3CVSS6AI score0.00162EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 11:14 p.m.6 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via the preview view in wagtail/images/views/images.py. An attacker can preview images they do not have...

6.5CVSS6AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 11:12 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the previewrequest, imageid, filterspec view in wagtail/images/views/images.py. An authenticated admin can...

5.1CVSS5.8AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 10:17 p.m.7 views

Prototype Pollution

Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying user-controlled...

6.5CVSS6.5AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 10:17 p.m.6 views

Prototype Pollution

Overview org.webjars.npm:jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying...

6.5CVSS6.5AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 10:12 p.m.7 views

Cross-site Scripting (XSS)

Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change sanitization paths. An...

7.2CVSS5.7AI score0.00179EPSS
Exploits0References2
Total number of security vulnerabilities35670