Lucene search
+L

36119 matches found

Snyk
Snyk
added 2026/06/26 11:3 p.m.5 views

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection in the export process. An attacker can execute arbitrary spreadsheet formulas by submitting specially crafted form values that begin with formula trigger characters, which are then interpreted as live formulas when the...

6.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 11:3 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Glide process. An attacker can cause the server to make unauthorized HTTP requests to internal network addresses by supplying a crafted URL that exploits DNS rebinding. Remediation Upgrade...

4.9CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/26 10:59 p.m.7 views

Directory Traversal

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the patch application process. An attacker can overwrite or delete arbitrary files on the filesystem by submitting a malicious .patch file containing crafted...

7.3CVSS6.4AI score0.0027EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:59 p.m.6 views

Insufficiently Protected Credentials

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the config and auth-header flow, which binds unscoped user-level npm authToken credentials to whatever default registry a repository-local .npm...

6.9CVSS5.8AI score0.00254EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/26 10:55 p.m.7 views

Relative Path Traversal

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Relative Path Traversal in dependency alias handling, which passes alias names from package metadata into dependency linking as path components and normalizes them with path.join...

8.8CVSS5.9AI score0.00326EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:53 p.m.7 views

Arbitrary Argument Injection

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Arbitrary Argument Injection in the git fetcher at fetching/git-fetcher/src/index.ts, which passes the lockfile's resolution.commit value into git fetch and git checkout without a --...

7.4CVSS6AI score0.0018EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:52 p.m.7 views

Insufficient Verification of Data Authenticity

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the default behavior of pnpm install, which accepts tarball content that does not match the integrity value recorded in the lockfile...

8.1CVSS5.8AI score0.00113EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:49 p.m.11 views

Incorrect Comparison

Overview js-toml is an A TOML parser for JavaScript/TypeScript, targeting TOML 1.0.0 Spec Affected versions of this package are vulnerable to Incorrect Comparison via the load process. An attacker can manipulate configuration values by supplying specially crafted TOML input that uses duplicate ke...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:43 p.m.7 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the urls field in the layer descriptor. An attacker can obtain authentication credentials by serving a manifest with a urls entry pointing to an attacker-controlled host and causing the client to...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:43 p.m.8 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the urls field in the layer descriptor. An attacker can obtain authentication credentials by serving a manifest with a urls entry pointing to an attacker-controlled host and causing the client to...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:32 p.m.6 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the access control process when domains are not properly canonicalized in highly specific edge cases. An attacker can gain unauthorized access to resources by crafting requests with domain names containing...

3.5CVSS5.8AI score0.00283EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/26 10:32 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the access control process when domains are not properly canonicalized in highly specific edge cases. An attacker can gain unauthorized access to resources by crafting requests with domain names containing...

3.5CVSS5.8AI score0.00283EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/26 10:31 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through the lack of ownership verification in the terminalStream and fmStream processes. An attacker can gain unauthorized interactive shell access or full file-manager control on the target server by obtaining a...

9.9CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/26 10:31 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the API key management process. An attacker can perform unauthorized key-management operations, such as creating, listing, or revoking API keys for other owners or escalating privileges by generating keys with...

5.4CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:31 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the API key management process. An attacker can perform unauthorized key-management operations, such as creating, listing, or revoking API keys for other owners or escalating privileges by generating keys with...

5.4CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:21 p.m.7 views

Regular Expression Denial of Service (ReDoS)

Overview js-toml is an A TOML parser for JavaScript/TypeScript, targeting TOML 1.0.0 Spec Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the parseBigInt function used by the load process. An attacker can cause excessive CPU consumption and block...

8.7CVSS5.7AI score0.00415EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/26 10:13 p.m.6 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the tiff decoder. An attacker can cause a panic and potentially disrupt service by providing a specially crafted image file with an out-of-bounds strip offset. Remediation Upgrade github.com/golang/image/tiff to...

8.8CVSS5.8AI score0.00346EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:13 p.m.7 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the tiff decoder. An attacker can cause a panic and potentially disrupt service by providing a specially crafted image file with an out-of-bounds strip offset. Remediation Upgrade golang.org/x/image/tiff to versio...

8.8CVSS5.8AI score0.00346EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 10:13 p.m.2 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the StorageInterface.parentTraversalGuard function. An attacker can access arbitrary files on the host filesystem by submitting a specially crafted kestra:// URI containing URL-encoded directory traversal...

7.7CVSS6.5AI score0.00386EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:13 p.m.4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection due to improper path validation in the AuthenticationFilter process. An attacker can execute arbitrary code with root privileges inside the worker container by bypassing authentication and creating or running workflows...

10CVSS6.3AI score0.00684EPSS
Exploits2References2
Snyk
Snyk
added 2026/06/26 10:12 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Control Panel fieldtype endpoints. An attacker can access metadata and content for resources without proper permissions by sending crafted requests as an authenticated user. Remediation Upgrade statamic/c...

5.3CVSS5.8AI score0.00162EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/26 10:11 p.m.5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the file-download API endpoint in the LocalStorage process. An attacker can access arbitrary files on the server filesystem, including sensitive data such as embedded databases, secrets, and environment variables...

8.7CVSS6.5AI score0.00386EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:11 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the file-download API endpoint in the LocalStorage process. An attacker can access arbitrary files on the server filesystem, including sensitive data such as embedded databases, secrets, and environment variables...

8.7CVSS6.5AI score0.00386EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 10:11 p.m.4 views

Use of Password Hash With Insufficient Computational Effort

Overview Affected versions of this package are vulnerable to Use of Password Hash With Insufficient Computational Effort in the BasicAuth authentication process. An attacker can recover administrator credentials by performing offline brute-force attacks against SHA-512 password hashes obtained fr...

9.2CVSS6AI score0.00158EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 9:50 p.m.6 views

Missing Authorization

Overview line-desktop-mcp is a MCP Server for LINE Desktop Automation via GUI scripting Affected versions of this package are vulnerable to Missing Authorization in the --http-mode process. An attacker can access and control LINE Desktop read and send tools by sending requests to the /mcp endpoin...

8.8CVSS6AI score0.00323EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/26 9:50 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the proxy process. An attacker can access internal network resources and cloud metadata endpoints by exploiting a race condition between DNS validation and the actual HTTP request, using DNS rebinding...

3CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/26 9:49 p.m.5 views

Missing Support for Integrity Check

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Missing Support for Integrity Check involving GitHub git dependencies, because the tarball hash for packages resolved from codeload.github.com is not recorded in the lockfile. An...

7.5CVSS5.9AI score0.00116EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/26 9:29 p.m.10 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the web UI handlers responsible for managing hosts and networks. An attacker can gain unauthorized access to sensitive information and perform destructive actions across resources owned by other operators by...

8.8CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/26 9:29 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the web UI handlers responsible for managing hosts and networks. An attacker can gain unauthorized access to sensitive information and perform destructive actions across resources owned by other operators by...

8.8CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/06/26 9:23 p.m.6 views

Unlock of a Resource that is not Locked

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...

8.8CVSS5.9AI score0.00251EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:23 p.m.6 views

Unlock of a Resource that is not Locked

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...

8.8CVSS5.9AI score0.00251EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:15 p.m.4 views

Directory Traversal

Overview patool is a portable archive file manager Affected versions of this package are vulnerable to Directory Traversal in the safeextract function in patoolib/programs/pytarfile.py when running on Python versions before 3.12, due to the use of os.path.commonprefix for character-level string...

5.4CVSS6.5AI score0.00285EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:11 p.m.13 views

Prototype Pollution

Overview n8n-workflow is a Workflow base code of n8n Affected versions of this package are vulnerable to Prototype Pollution via the deepCopy and replaceCircularReferences utilities in utils.ts. An attacker can inject crafted proto, constructor, or prototype fields in a public webhook payload tha...

6.4CVSS6.6AI score0.00259EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:8 p.m.4 views

Server-side Request Forgery (SSRF)

Overview @cardano402/mcp-server is a MCP server that exposes paid HTTP endpoints as MCP tools, paying via the x402 Cardano scheme. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through improper validation of catalog.server.url and insecure HTTP transport...

8.6CVSS6AI score
Exploits0References5
Snyk
Snyk
added 2026/06/26 9:5 p.m.6 views

Missing Authentication for Critical Function

Overview mcp-pinot-server is an A production-grade MCP server for Apache Pinot Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the default configuration where authentication is disabled and the HTTP server binds to all network interfaces. An...

10CVSS5.8AI score0.00498EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:4 p.m.7 views

Missing Authorization

Overview mcp-memory-service is an Open-source persistent memory for AI agent pipelines and Claude. REST API + semantic search + knowledge graph + autonomous consolidation. Self-host, zero cloud cost. Affected versions of this package are vulnerable to Missing Authorization through the tools/call...

8.1CVSS5.8AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:3 p.m.6 views

Prototype Pollution

Overview @deepstream/server is an a scalable server for realtime webapps Affected versions of this package are vulnerable to Prototype Pollution via the message processing pipeline. An attacker can escalate privileges and potentially gain unauthorized access or modify sensitive data by sending...

9.9CVSS6.5AI score0.0027EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:3 p.m.7 views

Cross-site Scripting (XSS)

Overview dosage is an a comic strip downloader and archiver Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HTML and RSS output handlers, which write unescaped user-controlled content such as comic text and page URLs directly into generated files. An attacker...

6.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:2 p.m.11 views

Uncontrolled Recursion

Overview Scriban is a Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Today, not only Scriban can be used in text templating scenarios, but also can ...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:1 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview Scriban is a Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Today, not only Scriban can be used in text templating scenarios, but also can ...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:1 p.m.7 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the signed-poll process due to the nonce cache being stored in-memory and limited in size. An attacker can obtain unauthorized access to a freshly-minted enrollment token by replaying a previously captured signed-poll...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:1 p.m.6 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the signed-poll process due to the nonce cache being stored in-memory and limited in size. An attacker can obtain unauthorized access to a freshly-minted enrollment token by replaying a previously captured signed-poll...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:1 p.m.7 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the signed-poll process due to the nonce cache being stored in-memory and limited in size. An attacker can obtain unauthorized access to a freshly-minted enrollment token by replaying a previously captured signed-poll...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:1 p.m.13 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the signed-poll process due to the nonce cache being stored in-memory and limited in size. An attacker can obtain unauthorized access to a freshly-minted enrollment token by replaying a previously captured signed-poll...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:0 p.m.5 views

Insertion of Sensitive Information into Log File

Overview web-auth/webauthn-symfony-bundle is a FIDO2/Webauthn Security Bundle For Symfony. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the onAuthenticationSuccess and onAuthenticationFailure processes. An attacker can obtain sensitive...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:55 p.m.6 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the ServerConnection process. An attacker can bypass application-level size limits or cause incorrect application behavior by sending HTTP/2 DATA frames with a total byte count that does not match the declared...

8.7CVSS5.8AI score0.00267EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:55 p.m.8 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the ServerConnection process. An attacker can bypass application-level size limits or cause incorrect application behavior by sending HTTP/2 DATA frames with a total byte count that does not match the declared...

8.7CVSS5.8AI score0.00267EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:55 p.m.22 views

NULL Pointer Dereference

Overview muhammara is a Create, read and modify PDF files and streams. A drop in replacement for hummusjs PDF library Affected versions of this package are vulnerable to NULL Pointer Dereference in the CreateFilterForStream process when handling PDF streams with /Filter /LZWDecode and a...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:54 p.m.7 views

Information Exposure

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Information Exposure via the email update process. An attacker can determine whether specific email addresses are registered by sending repeated requests and observing the system's responses...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:53 p.m.7 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the fchmodat function. An attacker can modify file permissions outside the intended container environment by creating symlinks to files on the host system and invoking permission changes through the exposed operation...

5.3CVSS6AI score
Exploits0References2
Total number of security vulnerabilities36119