35986 matches found
Malicious Package
Overview vitest-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Authorization
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace A...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace API endpoints. An authenticated attacker can bypass access controls by sending trace read, search, delete, update, linking, or assessment requests for experiments they do...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the FindServers process. An attacker can cause the server to allocate excessive memory by sending a FindServersRequest with an unbounded serverUris field, delivering a very large...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the parser when processing JSON input. An attacker can cause excessive CPU and memory consumption by submitting very large or deeply nested JSON...
Cross-site Scripting (XSS)
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the dynamic image URL generator view within the admin interface. An attacker with a limited-permission editor account can execute arbitrary...
Improper Handling of Insufficient Permissions or Privileges
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the chosen endpoint for Documents and Images, which incorrectly lists items for which the user has not...
Improper Handling of Insufficient Permissions or Privileges
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the simpletranslation process. An attacker can access and create translations for pages without the...
Improper Handling of Insufficient Permissions or Privileges
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via the preview view in wagtail/images/views/images.py. An attacker can preview images they do not have...
Allocation of Resources Without Limits or Throttling
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the previewrequest, imageid, filterspec view in wagtail/images/views/images.py. An authenticated admin can...
Prototype Pollution
Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying user-controlled...
Prototype Pollution
Overview org.webjars.npm:jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying...
Cross-site Scripting (XSS)
Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change sanitization paths. An...
Cross-site Scripting (XSS)
Overview org.webjars.npm:jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change...
Cross-site Scripting (XSS)
Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. Details Cross-si...
Open Redirect
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Open Redirect via the MCP SSE process. An attacker can access sensitive information by leveraging redirects that forward Authorization headers to unintended recipients. This is only...
Server-side Request Forgery (SSRF)
Overview @apify/actors-mcp-server is an Apify MCP Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webServerMcpPath field in the Actor definition, which is concatenated with a trusted base URL without proper validation. An attacker can cause...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition through the ShareHandler process. An attacker can bypass intended download limits by making concurrent requests with the same share token, allowing multiple unauthorized downloads beyond the configured cap. Remediation...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition through the ShareHandler process. An attacker can bypass intended download limits by making concurrent requests with the same share token, allowing multiple unauthorized downloads beyond the configured cap. Remediation...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition through the ShareHandler process. An attacker can bypass intended download limits by making concurrent requests with the same share token, allowing multiple unauthorized downloads beyond the configured cap. Remediation...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition through the ShareHandler process. An attacker can bypass intended download limits by making concurrent requests with the same share token, allowing multiple unauthorized downloads beyond the configured cap. Remediation...
Use of Cache Containing Sensitive Information
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the handling of the x-ghost-preview header when the application is deployed behind a shared caching layer. An attacker can inject malicious content into...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass due to improper enforcement of mode-restriction flags in the WebDAV handler. An attacker can gain unauthorized access to modify, delete, or retrieve files by sending crafted WebDAV requests to the affected service...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass due to improper enforcement of mode-restriction flags in the WebDAV handler. An attacker can gain unauthorized access to modify, delete, or retrieve files by sending crafted WebDAV requests to the affected service...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass due to improper enforcement of mode-restriction flags in the WebDAV handler. An attacker can gain unauthorized access to modify, delete, or retrieve files by sending crafted WebDAV requests to the affected service...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Authorization header being forwarded during HTTP redirects or blob upload Location responses across registry origins. An attacker can obtain registry credentials intended for one origin by...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Authorization header being forwarded during HTTP redirects or blob upload Location responses across registry origins. An attacker can obtain registry credentials intended for one origin by...
Not Failing Securely ('Failing Open')
Overview Affected versions of this package are vulnerable to Not Failing Securely 'Failing Open' in the TlsServerEndpoint process when a server presents an X.509 certificate using a modern signature algorithm lacking traditional naming structures. An attacker can bypass strict client-side...
Not Failing Securely ('Failing Open')
Overview Affected versions of this package are vulnerable to Not Failing Securely 'Failing Open' in the TlsServerEndpoint process when a server presents an X.509 certificate using a modern signature algorithm lacking traditional naming structures. An attacker can bypass strict client-side...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the pushFile process when symlink traversal is possible within the working directory. An attacker can write files outside the intended directory boundary by supplying a crafted blob title th...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the pushFile process when symlink traversal is possible within the working directory. An attacker can write files outside the intended directory boundary by supplying a crafted blob title th...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the blobStore.completePushAfterInitialPost process. An attacker can obtain sensitive credentials by manipulating the Location header to redirect requests to an attacker-controlled endpoint, causing t...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the blobStore.completePushAfterInitialPost process. An attacker can obtain sensitive credentials by manipulating the Location header to redirect requests to an attacker-controlled endpoint, causing t...
Directory Traversal
Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Directory Traversal via the preprocess method in the FileExplorer component. An attacker can read arbitrary files outside the configured rootdir by...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the connected-components when invalid arguments are provided. An attacker can cause the application to enter an infinite loop by supplying specially crafted input. Remediation A fi...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...