Lucene search
+L

36058 matches found

Snyk
Snyk
added 2026/07/03 4:0 p.m.7 views

Malicious Package

Overview aldermorrgan is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:59 p.m.7 views

Malicious Package

Overview @sql-access/nodesql is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:44 p.m.6 views

Malicious Package

Overview @lodash-en/lodash-en is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:37 p.m.3 views

Insufficient Granularity of Access Control

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the group retrieval due to an improper conditional...

4.3CVSS6.1AI score0.00172EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:37 p.m.6 views

Malicious Package

Overview decode-sdks is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:37 p.m.7 views

Malicious Package

Overview @jacobtan/decode-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:21 p.m.3 views

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the ClientResource component in the admin REST API when Fine-Grained Admin...

5.9CVSS6.1AI score0.00146EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 3:4 p.m.4 views

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization in the RoleContainerResource process when FGAP v2 is enabled. An attacker can access...

4.3CVSS6.1AI score0.00172EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 12:17 p.m.6 views

Server-side Request Forgery (SSRF)

Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request-service process. An attacker can access sensitive...

8.5CVSS6AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 12:17 p.m.5 views

Missing Origin Validation in WebSockets

Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints whe...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 12:17 p.m.5 views

Missing Origin Validation in WebSockets

Overview @theia/terminal is a Theia - Terminal Extension Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints when origin validation is bypassed due to missing or manipulated headers. An attacker c...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 12:17 p.m.13 views

Server-side Request Forgery (SSRF)

Overview @theia/request is a Theia Proxy-Aware Request Service Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request-service process. An attacker can access sensitive internal resources by sending crafted URLs to the backend, which then performs...

8.5CVSS5.9AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 11:17 a.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Lucene.Net.Replicator process. An attacker can access arbitrary files on the server by submitting crafted requests containing path traversal sequences. Details A Directory Traversal attack also known as path...

8.9CVSS6.5AI score0.00703EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 9:19 a.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Lucene.Net.Replicator process. An attacker can write arbitrary files to the client system by sending specially crafted data from a malicious server. Details A Directory Traversal attack also known as path...

8.9CVSS6.5AI score0.00616EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 9:17 a.m.4 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the PatternParser process. An attacker can access sensitive files or interact with internal systems by submitting crafted XML data that triggers external entity resolution. Details XXE Injection is ...

9.8CVSS6AI score0.00328EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 8:19 a.m.7 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the omission of SSH host verification options in the --proto-default process. An attacker can intercept or impersonate an SSH server by exploiting the lack of host verification during connection establishmen...

7.5CVSS6AI score0.00574EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.9 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the curleasycleanup process after configuring an HTTP/2 stream-dependency tree using CURLOPTSTREAMDEPENDS or CURLOPTSTREAMDEPENDSE and invoking curleasyreset. An attacker can cause the application to access freed memor...

9.8CVSS6.2AI score0.00891EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.8 views

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the STARTTLS process. An attacker can compromise the security of the TLS connection by exploiting a scenario where a new transfer reuses an existing live connection despite a mismatch in TLS...

9.1CVSS6AI score0.0052EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.6 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the connection reuse process. An attacker can gain unauthorized access to resources or services by exploiting the reuse of an authenticated connection intended for a different service. Remediation Upgrade libcur...

6.9CVSS6AI score0.00543EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.8 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of an upper bound on memory allocation for unacknowledged WebSocket PING frames. An attacker can cause memory exhaustion by sending a rapid sequence of PING messages from a malicious server. Details...

8.7CVSS6AI score0.0086EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.7 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the Authorization header handling process. An attacker can cause sensitive authentication information to be sent to an unintended origin by reusing a handle for transfers to different HTTP origins...

9.8CVSS6AI score0.01064EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.6 views

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the connection pool process. An attacker can bypass intended certificate validation by reusing a handle that initially used the default native CA trust and then switching it to custom CA...

9.1CVSS6AI score0.0061EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.10 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the udpreceive process. An attacker can cause the client to enter a busy-loop and become unresponsive by continuously sending zero-length UDP datagrams from a malicious HTTP/3 server. Remediation Upgrade libcurl to...

8.7CVSS6.2AI score0.0101EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.23 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to the improper clearing of the CURLOPTREFERER option. An attacker can cause sensitive information to be disclosed by forcing the reuse and transmission of a previous referer header ...

7.5CVSS5.9AI score0.00652EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.8 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the CURLMOPTSOCKETFUNCTION callback when curleasypause is called. An attacker can execute arbitrary code or cause a denial of service by triggering the use of a dangling pointer after memory has been freed. Remediation...

8.8CVSS6.2AI score0.00494EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.9 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the cookie parsing process. An attacker can cause unauthorized cookies to be set and transmitted to unrelated third-party domains by crafting HTTP responses that exploit improper doma...

9.1CVSS5.9AI score0.00649EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.8 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the process that handles .netrc credential retrieval when a URL is specified with a username but without a password. An attacker can gain unauthorized access to sensitive information by exploiting...

9.1CVSS6AI score0.0061EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.10 views

Double Free

Overview Affected versions of this package are vulnerable to Double Free in the GSASL context cleanup process. An attacker can cause arbitrary code execution or a denial of service by triggering the double-free condition. Remediation Upgrade libcurl to version 8.21.0 or higher. References - Curl...

9.8CVSS6.6AI score0.0108EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.7 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation when the CURLOPTSSLSESSIONIDCACHE is enabled and the CURLSSLOPTEARLYDATA option is set in CURLOPTSSLOPTIONS. An attacker can intercept and obtain sensitive information by impersonating a server and...

8.3CVSS6AI score0.00408EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.5 views

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to incomplete matching of mTLS configuration options during connection reuse in the connection process. An attacker can cause connections to be reused with incorrect client certificate...

9.3CVSS6.1AI score0.00368EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.9 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the CURLOPTSSHKEYFUNCTION process. An attacker can intercept or manipulate data by presenting a server host key type that does not match the recorded key type in the knownhosts file, which is improperl...

8.3CVSS6AI score0.00508EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:16 a.m.8 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the process responsible for clearing proxy authentication credentials. An attacker can gain unauthorized access to sensitive proxy credentials by leveraging subsequent transfers that reuse stale authentication...

9.8CVSS6AI score0.01064EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:16 a.m.8 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the process of reusing a handle for sequential transfers with environment-variable proxy configuration. An attacker can cause sensitive authentication headers to be sent to an...

9.1CVSS6AI score0.00752EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.4 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.4 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

6CVSS5.9AI score0.00154EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.4 views

Incorrect Privilege Assignment

Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the assignRoleToUser and assignRoleToGroup handlers. An attacker can gain unauthorized administrative privileges by assigning high-privilege roles, such as the built-in admin role, to themselves or...

8.8CVSS6AI score0.00389EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Regular Expression Denial of Service (ReDoS)

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

7.1CVSS5.9AI score0.00305EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

5CVSS6.1AI score0.0018EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the OIDC discovery process when the X-Forwarded-Host header is not validated and no allowed-hosts list is configured. An attacker can manipulate the issuer and JWKS URI in the discovery document by supplying a...

8.2CVSS6AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Inefficient Algorithmic Complexity

Overview pathway is a Pathway Live Data Framework is a data processing framework which takes care of streaming data updates for you. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the document store process. An attacker can exhaust system resources by...

8.7CVSS6AI score0.0047EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

7.1CVSS6.1AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.8 views

Server-side Request Forgery (SSRF)

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

8.3CVSS6AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.8 views

HTTP Request Smuggling

Overview webrick is a HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. Affected versions of this package are vulnerable to HTTP Request Smuggling in the request process. An attacker can bypass request boundaries and interfere with HTTP...

6.9CVSS6AI score0.00352EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.5 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the ParseObjectContext and parseArray functions due to recursive parsing of nested PDF objects without enforcing a maximum nesting depth. An attacker can cause resource exhaustion and application unavailability...

8.7CVSS6AI score0.00451EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:17 p.m.4 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the ParseObjectContext and parseArray functions due to recursive parsing of nested PDF objects without enforcing a maximum nesting depth. An attacker can cause resource exhaustion and application unavailability...

8.7CVSS6AI score0.00451EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 9:14 p.m.7 views

External Control of File Name or Path

Overview recce is an Environment diff tool for dbt Affected versions of this package are vulnerable to External Control of File Name or Path via the query run API when configured with a DuckDB-backed project. An attacker can access or modify local files accessible to the server process, potential...

9.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 9:13 p.m.8 views

User Impersonation

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to User Impersonation via the isLocalRequest function. An attacker can gain unauthorized access to restricted routes and interact with child processes by spoofing the Host and Orig...

8.3CVSS6AI score0.00357EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:56 p.m.8 views

Use of Hard-coded Credentials

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Use of Hard-coded Credentials in the SECRET assignment process. An attacker can gain unauthorized access to the dashboard and API by forging a valid authtoken cookie using the...

9.8CVSS6AI score0.00601EPSS
Exploits1References2
Total number of security vulnerabilities36058