Lucene search
+L

36057 matches found

Snyk
Snyk
added 2026/07/02 8:55 p.m.6 views

Missing Authorization

Overview kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Missing Authorization in the /init-db/ process. An attacker can access administrative setup functionality by sending requests to this endpoint after initial use. This is only exploitable if the...

6.9CVSS5.9AI score0.00048EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:47 p.m.5 views

Insufficient Verification of Data Authenticity

Overview simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the processing of SAML responses wh...

7.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:46 p.m.5 views

Improper Handling of Windows DATA Alternate Data Stream

Overview Affected versions of this package are vulnerable to Improper Handling of Windows DATA Alternate Data Stream in the FilePage process on Windows systems when handling filenames with NTFS-equivalent suffixes such as ::$DATA, a trailing dot, or a trailing space. An attacker can obtain the ra...

8.7CVSS6AI score0.00077EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:44 p.m.8 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through the add and remove endpoints for timesheet favorites. An attacker can manipulate another user's favorite bookmark state by referencing the victim's timesheet identifier, allowing unauthorized addition or...

5.3CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 8:38 p.m.5 views

Improper Authentication

Overview fast-mcp-telegram is a Multi-tenant Telegram gateway for AI agents — HTTP+stdio transport, 8 agent-optimized tools, MTProto User API Affected versions of this package are vulnerable to Improper Authentication via the SessionFileTokenVerifier.verifytoken process. An attacker can gain...

9.4CVSS6AI score0.00423EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/02 8:27 p.m.8 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' through the XPath Transform process. An attacker can cause the application to become unresponsive or crash by sending specially crafted messages that exploit thi...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:27 p.m.6 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' through the XPath Transform process. An attacker can cause the application to become unresponsive or crash by sending specially crafted messages that exploit thi...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:25 p.m.5 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within t...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:25 p.m.7 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within t...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:23 p.m.6 views

Arbitrary Argument Injection

Overview linuxfabrik-lib is a Python libraries used in various Linuxfabrik projects, including the 'Linuxfabrik Monitoring Plugins' project. Affected versions of this package are vulnerable to Arbitrary Argument Injection in the configuration of the sudoers file, which allows arbitrary arguments ...

8.4CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:20 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview @asymmetric-effort/nogginlessdom is an A zero-dependency testing framework with comprehensive test runner, assertions, DOM simulation, and mocking, built on node:test and node:assert Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:19 p.m.7 views

Directory Traversal

Overview @asymmetric-effort/nogginlessdom is an A zero-dependency testing framework with comprehensive test runner, assertions, DOM simulation, and mocking, built on node:test and node:assert Affected versions of this package are vulnerable to Directory Traversal via the matchFileSnapshot functio...

8.7CVSS6.6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:17 p.m.11 views

Missing Authorization

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Missing Authorization via the POST /api/tunnel/tailscale-install route handler, which accepts a JSON body containing a sudoPassword field and pipes it, along with the contents o...

9.8CVSS6.2AI score0.01372EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/02 8:16 p.m.9 views

Use of GET Request Method With Sensitive Query Strings

Overview @nuxt/ui is an A UI Library for Modern Web Apps, powered by Vue & Tailwind CSS. Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the UForm and UAuthForm components when the server-side rendered form omits the method attribute...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:13 p.m.3 views

Regular Expression Denial of Service (ReDoS)

Overview org.webjars.npm:jsonata is a JSON query and transformation language Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the $toMillis function. An attacker can cause resource exhaustion by providing specially crafted inputs that trigger...

8.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:13 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview jsonata is a JSON query and transformation language Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the $toMillis function. An attacker can cause resource exhaustion by providing specially crafted inputs that trigger excessive backtracki...

8.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:3 p.m.5 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the actionMoveFolder process. An attacker can remove destination folders and their contents without having delete permissions on the destination by initiating a force...

7.1CVSS6AI score0.00207EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 8:3 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the newAttributes parameter in the bulk duplicate process. An attacker can overwrite existing elements...

7.1CVSS6AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:35 p.m.7 views

Missing Authorization

Overview @grackle-ai/auth is an Authentication and authorization primitives for Grackle Affected versions of this package are vulnerable to Missing Authorization due to inconsistent enforcement of authorization checks in the tool layer. An attacker can gain unauthorized access to perform cross-ta...

8.8CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/02 7:35 p.m.10 views

Missing Authorization

Overview @grackle-ai/mcp is a MCP Model Context Protocol server for Grackle — translates MCP tool calls to ConnectRPC Affected versions of this package are vulnerable to Missing Authorization due to inconsistent enforcement of authorization checks in the tool layer. An attacker can gain...

8.8CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/02 7:35 p.m.10 views

Missing Authorization

Overview @grackle-ai/plugin-core is a Core plugin for Grackle — gRPC handlers, reconciliation phases, and event subscribers Affected versions of this package are vulnerable to Missing Authorization due to inconsistent enforcement of authorization checks in the tool layer. An attacker can gain...

8.8CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/02 7:23 p.m.8 views

Improper Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Improper Authorization through the Mysqls.add process. An attacker can create databases and users on unauthorized MySQL servers by supplying a disallowed server index in the API...

5.3CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:23 p.m.7 views

Authorization Bypass Through User-Controlled Key

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the customeremail.php process. An attacker can access other users' allowed sender aliases by supplying arbitrary senderid values in...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:22 p.m.5 views

Command Injection

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Command Injection via the rmrf, mv, and cp functions. An attacker can execute arbitrary commands by supplying specially crafted file names containing shell...

8.8CVSS6.3AI score0.00072EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:21 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the unauthenticated GET /api/v1/oauth and GET /api/v1/oauth/:id endpoints, which serialize and return sensitive fields such as clientsecret in the response. An attacker can obtain...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:20 p.m.5 views

Directory Traversal

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Directory Traversal via the prepareReceiveFile and getUniqueFilePath processes. An attacker can write files to arbitrary locations on the user's filesystem by...

7.1CVSS6.5AI score0.00034EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:18 p.m.4 views

Inefficient Algorithmic Complexity

Overview @conform-to/dom is an A set of opinionated helpers built on top of the Constraint Validation API Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseSubmission process. An attacker can cause excessive CPU consumption by submitting forms with...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:16 p.m.8 views

Arbitrary Argument Injection

Overview @grackle-ai/runtime-sdk is a Grackle runtime SDK — interfaces, base classes, shared utilities, and runtime installer Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can...

8.8CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 7:16 p.m.9 views

Arbitrary Argument Injection

Overview @grackle-ai/powerline is a gRPC PowerLine server for Grackle AI agent integration Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input to the branch parameter in the SpawnSession process. An attacker can execute arbitrary commands as the...

8.8CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added 2026/07/02 7:12 p.m.5 views

Inadequate Encryption Strength

Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength in the verify process. An attacker can gain unauthorized access and forge arbitrary claims by submitting tokens signed with an empty or null key, which are incorrectly accepted as valid signatures. This is...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:9 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the inline parameter in the file download process. An attacker can execute arbitrary scripts in the context of the application's web origin by uploading a crafted HTML file and convincing a victim to open a...

3.7CVSS5.8AI score0.00028EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:9 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the public web-client endpoint for partial ZIP downloads of a browsable share. An attacker can access files outside the intended shared directory by supplying crafted file entries whose canonical paths begin with...

8.2CVSS6.5AI score0.00057EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:9 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the public web-client endpoint for partial ZIP downloads of a browsable share. An attacker can access files outside the intended shared directory by supplying crafted file entries whose canonical paths begin with...

8.2CVSS6.5AI score0.00057EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:8 p.m.4 views

Cross-site Scripting (XSS)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Cross-site Scripting XSS in the renderToString process. An attacker can inject malicious CSS expressions by bypassing the...

6.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:8 p.m.5 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the secureFetch process. An attacker can access internal or unintended network resources b...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:7 p.m.4 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the secure-fetch process. An attacker can cause memory exhaustion by supplying a very...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:7 p.m.3 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to incomplete validation in the secure-fetch process. An attacker can access internal...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:3 p.m.6 views

Information Exposure

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Information Exposure in the console.warn process. An attacker can gain insight into internal framework state, such as queue...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 7:0 p.m.5 views

Improper Neutralization of Special Elements in Data Query Logic

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the gql function. An attacker can inject unauthorized...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:59 p.m.4 views

Server-side Request Forgery (SSRF)

Overview @asymmetric-effort/specifyjs is an A declarative TypeScript UI framework built for performance and simplicity Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the assertSecureUrl function. An attacker can bypass HTTPS validation by supplying a...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:49 p.m.4 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization through the actionDeleteFolder process. An attacker can remove assets belonging to other users by exploiting insufficient permission checks during folder deletion...

7.7CVSS5.9AI score0.00249EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:48 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the actionReplaceFile process. An attacker can delete assets in unauthorized volumes by supplying both assetId and sourceAssetId without...

5.4CVSS6AI score0.00265EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:47 p.m.5 views

Access Control Bypass

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass via the entries/move-to-section process. An attacker can relocate entries into unauthorized sections by exploiting insufficient permission checks, allowing them to bypas...

6CVSS6AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 6:45 p.m.5 views

Improper Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improper Authorization in the entries/save-entry process. An attacker can reassign content authorship to another user without proper authorization by submitting crafted requests containing...

7.6CVSS6AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 5:51 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the displaymap parser function when unescaped user input is passed to the overlays parameter. An attacker can execute arbitrary JavaScript in the context of users viewing the affected page by injecting...

8.8CVSS5.8AI score
Exploits0References3
Total number of security vulnerabilities36057