36119 matches found
Allocation of Resources Without Limits or Throttling
Overview python-socketio is a Socket.IO server and client for Python Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the process that stores binary EVENT and ACK messages in memory while awaiting their binary attachments. An attacke...
Allocation of Resources Without Limits or Throttling
Overview python-engineio is a Python implementation of the Engine.IO realtime client and server. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the heartbeat mechanism. An attacker can exhaust system resources by repeatedly triggering...
Malicious Package
Overview semantic-router is a malicious package. in the litellminit.pth process. An attacker can gain unauthorized access to sensitive information, including environment variables, cloud credentials, SSH keys, database credentials, and other secrets, by executing malicious code during Python...
Allocation of Resources Without Limits or Throttling
Overview python-engineio is a Python implementation of the Engine.IO realtime client and server. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the handling of incoming messages when using ASGI with the long polling transport for POST...
Regular Expression Denial of Service (ReDoS)
Overview org.webjars.npm:linkify-it is a Links recognition library with FULL unicode support Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to quadratic algorithmic complexity in the match function. An attacker can exhaust CPU resources and caus...
Regular Expression Denial of Service (ReDoS)
Overview linkify-it is a Links recognition library with FULL unicode support Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to quadratic algorithmic complexity in the match function. An attacker can exhaust CPU resources and cause significant...
Incorrect Permission Assignment for Critical Resource
Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to improper file permission settings on the settings.json file, which stores sensitive credentials in plaintext. An attacker can gain unauthorized access to confidential platform...
Access Control Bypass
Overview nono-py is a Python bindings for nono capability-based sandboxing Affected versions of this package are vulnerable to Access Control Bypass due to the policy JSON accepting unknown security-sensitive fields and the failure to automatically enforce CapabilitySet.proxyonly when resolving a...
Insecure Default Initialization of Resource
Overview nono-py is a Python bindings for nono capability-based sandboxing Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to improper enforcement of access restrictions in the proxy process. An attacker can gain unauthorized network access by...
Debug Messages Revealing Unnecessary Information
Overview @mcptoolshop/backpropagate is a Deprecated npm distribution shim for backpropagate — prints install guidance for pipx/uv tool/pip. See https://github.com/mcp-tool-shop-org/backpropagate Affected versions of this package are vulnerable to Debug Messages Revealing Unnecessary Information i...
Debug Messages Revealing Unnecessary Information
Overview backpropagate is a Production-ready headless LLM fine-tuning with smart defaults, Windows support, and modular architecture Affected versions of this package are vulnerable to Debug Messages Revealing Unnecessary Information in the authentication process. An attacker can gain unauthorize...
Protection Mechanism Failure
Overview nono-py is a Python bindings for nono capability-based sandboxing Affected versions of this package are vulnerable to Protection Mechanism Failure in the sandboxedexec process when running on Linux kernels lacking Landlock network support. An attacker can access sensitive network resourc...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization through the GetPolicyByIDQueries process. An attacker can access policy data belonging to other teams by sending requests to the global policy read endpoint with valid credentials for any team, thereby bypassing...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization through the GetPolicyByIDQueries process. An attacker can access policy data belonging to other teams by sending requests to the global policy read endpoint with valid credentials for any team, thereby bypassing...
Exposed Dangerous Method or Function
Overview nx is a The core Nx plugin contains the core functionality of Nx like the project graph, nx commands and task orchestration. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the local HTTP server's permissive CORS policy, which sends...
Arbitrary Argument Injection
Overview @cyclonedx/cdxgen is a Creates CycloneDX Software Bill of Materials SBOM from source or container image Affected versions of this package are vulnerable to Arbitrary Argument Injection via the Maven project scanning process. An attacker can execute arbitrary shell commands by submitting ...
Interpretation Conflict
Overview Affected versions of this package are vulnerable to Interpretation Conflict via the downloadImage process. An attacker can execute arbitrary scripts in the context of the application by tricking a user into visiting a crafted link that proxies malicious content through the image proxy...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal due to incorrect path string matching in the limit container paths process. An attacker can bypass intended directory restrictions by placing containers in sibling directories with similar names, allowing unauthorize...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the imageDownload process. An attacker can overwrite arbitrary files on the host system and potentially execute arbitrary commands as root by supplying a crafted Incus-Image-Hash header containing directory...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the imageDownload process. An attacker can overwrite arbitrary files on the host system and potentially execute arbitrary commands as root by supplying a crafted Incus-Image-Hash header containing directory...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the imageDownload process. An attacker can overwrite arbitrary files on the host system and potentially execute arbitrary commands as root by supplying a crafted Incus-Image-Hash header containing directory...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the imageDownload process. An attacker can overwrite arbitrary files on the host system and potentially execute arbitrary commands as root by supplying a crafted Incus-Image-Hash header containing directory...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the imageDownload process. An attacker can overwrite arbitrary files on the host system and potentially execute arbitrary commands as root by supplying a crafted Incus-Image-Hash header containing directory...
Improper Input Validation
Overview github.com/lxc/incus/v6/shared/validate is a None Affected versions of this package are vulnerable to Improper Input Validation. via the imageDownload process. An attacker can overwrite arbitrary files on the host system and potentially execute arbitrary commands as root by supplying a...
Improper Verification of Cryptographic Signature
Overview @sigstore/core is a Base library for Sigstore Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the preAuthEncoding function. An attacker can bypass type-binding guarantees by substituting characters in payloadType with Unicode varian...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the CreateCustomVolumeFromBackup process. An attacker can cause the incusd daemon to crash by uploading a crafted backup tarball with a volumesnapshots.expiresat field omitted, leading to a nil pointer...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the CreateCustomVolumeFromBackup process. An attacker can cause the incusd daemon to crash by uploading a crafted backup tarball with a volumesnapshots.expiresat field omitted, leading to a nil pointer...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the CreateCustomVolumeFromBackup process. An attacker can cause the incusd daemon to crash by uploading a crafted backup tarball with a volumesnapshots.expiresat field omitted, leading to a nil pointer...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via improper validation of the compressionalgorithm parameter. An attacker can achieve arbitrary file write and potentially execute arbitrary commands by injecting additional arguments into the compression...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via improper validation of the compressionalgorithm parameter. An attacker can achieve arbitrary file write and potentially execute arbitrary commands by injecting additional arguments into the compression...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via improper validation of the compressionalgorithm parameter. An attacker can achieve arbitrary file write and potentially execute arbitrary commands by injecting additional arguments into the compression...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the createDependentVolumesFromBackup process. An attacker can cause the daemon to crash by uploading a crafted backup tarball with a malformed dependentvolumes block containing nil or omitted sub-fields. This...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the createDependentVolumesFromBackup process. An attacker can cause the daemon to crash by uploading a crafted backup tarball with a malformed dependentvolumes block containing nil or omitted sub-fields. This...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the createDependentVolumesFromBackup process. An attacker can cause the daemon to crash by uploading a crafted backup tarball with a malformed dependentvolumes block containing nil or omitted sub-fields. This...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via unsanitized handling of the uploadId parameter in the multipart upload process. An attacker can create arbitrary files on the host system, potentially leading to arbitrary command execution, by...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via unsanitized handling of the uploadId parameter in the multipart upload process. An attacker can create arbitrary files on the host system, potentially leading to arbitrary command execution, by...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via unsanitized handling of the uploadId parameter in the multipart upload process. An attacker can create arbitrary files on the host system, potentially leading to arbitrary command execution, by...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via a crafted symlink in the templates directory during image import or instance backup restoration processes. An attacker can access and modify arbitrary files on the host system, potentially leadi...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via a crafted symlink in the templates directory during image import or instance backup restoration processes. An attacker can access and modify arbitrary files on the host system, potentially leadi...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via a crafted symlink in the templates directory during image import or instance backup restoration processes. An attacker can access and modify arbitrary files on the host system, potentially leadi...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization through the raw.lxc and raw.qemu hooks when the restricted.containers.lowlevel=block setting is ignored during instance snapshot restoration. An attacker can execute arbitrary commands with root privileges on the...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization through the raw.lxc and raw.qemu hooks when the restricted.containers.lowlevel=block setting is ignored during instance snapshot restoration. An attacker can execute arbitrary commands with root privileges on the...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization through the raw.lxc and raw.qemu hooks when the restricted.containers.lowlevel=block setting is ignored during instance snapshot restoration. An attacker can execute arbitrary commands with root privileges on the...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the record-output process. An attacker can create or overwrite files on the host system by exploiting a crafted symlink in a container image, which can lead to arbitrary command execution...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the record-output process. An attacker can create or overwrite files on the host system by exploiting a crafted symlink in a container image, which can lead to arbitrary command execution...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the record-output process. An attacker can create or overwrite files on the host system by exploiting a crafted symlink in a container image, which can lead to arbitrary command execution...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the rootfs symlink during image extraction. An attacker can gain unauthorized access to sensitive files and perform arbitrary file creation or modification on the host by importing a special...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the rootfs symlink during image extraction. An attacker can gain unauthorized access to sensitive files and perform arbitrary file creation or modification on the host by importing a special...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the rootfs symlink during image extraction. An attacker can gain unauthorized access to sensitive files and perform arbitrary file creation or modification on the host by importing a special...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the fn-git-create-hook process when a crafted app name containing shell metacharacters is pushed to a git remote. An attacker can execute arbitrary commands as the application user by embedding malicious input in t...