35670 matches found
Arbitrary Argument Injection
Overview @grackle-ai/runtime-sdk is a Grackle runtime SDK — interfaces, base classes, shared utilities, and runtime installer Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can...
Inadequate Encryption Strength
Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength in the verify process. An attacker can gain unauthorized access and forge arbitrary claims by submitting tokens signed with an empty or null key, which are incorrectly accepted as valid signatures. This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the inline parameter in the file download process. An attacker can execute arbitrary scripts in the context of the application's web origin by uploading a crafted HTML file and convincing a victim to open a...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the public web-client endpoint for partial ZIP downloads of a browsable share. An attacker can access files outside the intended shared directory by supplying crafted file entries whose canonical paths begin with...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the public web-client endpoint for partial ZIP downloads of a browsable share. An attacker can access files outside the intended shared directory by supplying crafted file entries whose canonical paths begin with...
Cross-site Scripting (XSS)
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Cross-site Scripting XSS in the renderToString process. An attacker can inject malicious CSS expressions by bypassing the...
Server-side Request Forgery (SSRF)
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the secureFetch process. An attacker can access internal or unintended network resources b...
Server-side Request Forgery (SSRF)
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the secure-fetch process. An attacker can cause memory exhaustion by supplying a very...
Server-side Request Forgery (SSRF)
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to incomplete validation in the secure-fetch process. An attacker can access internal...
Information Exposure
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Information Exposure in the console.warn process. An attacker can gain insight into internal framework state, such as queue...
Improper Neutralization of Special Elements in Data Query Logic
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the gql function. An attacker can inject unauthorized...
Server-side Request Forgery (SSRF)
Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the assertSecureUrl function. An attacker can bypass HTTPS validation by supplying a...
Missing Authorization
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization through the actionDeleteFolder process. An attacker can remove assets belonging to other users by exploiting insufficient permission checks during folder deletion...
Authorization Bypass Through User-Controlled Key
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the actionReplaceFile process. An attacker can delete assets in unauthorized volumes by supplying both assetId and sourceAssetId without...
Access Control Bypass
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass via the entries/move-to-section process. An attacker can relocate entries into unauthorized sections by exploiting insufficient permission checks, allowing them to bypas...
Improper Authorization
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improper Authorization in the entries/save-entry process. An attacker can reassign content authorship to another user without proper authorization by submitting crafted requests containing...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the displaymap parser function when unescaped user input is passed to the overlays parameter. An attacker can execute arbitrary JavaScript in the context of users viewing the affected page by injecting...
SQL Injection
Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to SQL Injection via insufficient filtering in the validatequery process. An attacker can access arbitrary files on the database host and perform filesystem reconnaissance by injectin...
Relative Path Traversal
Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Relative Path Traversal through improper validation of user-supplied file paths in the ReadFileTool and WriteFileTool components. An attacker can access or modify files outside the...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the UploadKerberosHub process. An attacker can obtain sensitive authentication credentials by configuring a malicious or compromised huburi that issues a cross-host redirect, causing the client t...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the processing of requests to virtual hosts configured with both tls.enableFallbackCertificate and jwtProviders. An attacker can bypass authentication controls by sending requests without a valid token...
Missing Authentication for Critical Function
Overview mcp-memory-service is an Open-source persistent memory for AI agent pipelines and Claude. REST API + semantic search + knowledge graph + autonomous consolidation. Self-host, zero cloud cost. Affected versions of this package are vulnerable to Missing Authentication for Critical Function ...
Malicious Package
Overview animatecss-postcss-plugin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview tailwind-animates is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation The...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation The...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation There is no fixed...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation Upgrade...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation There is no fixed...
Malicious Package
Overview cache-section-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview db-connector-log is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview db-convertor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview db-plog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview tailwind-typography-stylecss is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @modhamanish/rn-mm-template is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GetEndpoints process. An attacker can cause the server to allocate excessive memory by sending a GetEndpointsRequest with an extremely large endpointUrl field, delivered in...
Malicious Package
Overview vitest-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Authorization
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace A...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace API endpoints. An authenticated attacker can bypass access controls by sending trace read, search, delete, update, linking, or assessment requests for experiments they do...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the FindServers process. An attacker can cause the server to allocate excessive memory by sending a FindServersRequest with an unbounded serverUris field, delivering a very large...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the parser when processing JSON input. An attacker can cause excessive CPU and memory consumption by submitting very large or deeply nested JSON...
Cross-site Scripting (XSS)
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the dynamic image URL generator view within the admin interface. An attacker with a limited-permission editor account can execute arbitrary...
Improper Handling of Insufficient Permissions or Privileges
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the chosen endpoint for Documents and Images, which incorrectly lists items for which the user has not...
Improper Handling of Insufficient Permissions or Privileges
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the simpletranslation process. An attacker can access and create translations for pages without the...
Improper Handling of Insufficient Permissions or Privileges
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via the preview view in wagtail/images/views/images.py. An attacker can preview images they do not have...
Allocation of Resources Without Limits or Throttling
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the previewrequest, imageid, filterspec view in wagtail/images/views/images.py. An authenticated admin can...
Prototype Pollution
Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying user-controlled...
Prototype Pollution
Overview org.webjars.npm:jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying...
Cross-site Scripting (XSS)
Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change sanitization paths. An...