35669 matches found
Malicious Package
Overview @luminarycloudinternal/lcvis-st is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...
Malicious Package
Overview @luminarycloudinternal/frodo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview cursed-ecto-d3ab00 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview epic-internal-tools is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ue-automation-scripts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview unreal-horde-dashboard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview ue-jenkins-buildkite is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview robomerge is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview voyager-web is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview searchresults is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview workspace-scripts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @businessapp-microsites/apis is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview workspace-lint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nodemon-patch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nodemon-gulp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nodepack-daemon is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview crypto-promiser is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview paperclip-adapter-helpers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview vps-new-manager is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFetchTool.Execute function in the Guarded Web Fetch Flow process. An attacker can make the server initiate arbitrary HTTP requests to internal or external resources by supplying crafted URLs...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFetchTool.Execute function in the Guarded Web Fetch Flow process. An attacker can make the server initiate arbitrary HTTP requests to internal or external resources by supplying crafted URLs...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFetchTool.Execute function in the Guarded Web Fetch Flow process. An attacker can make the server initiate arbitrary HTTP requests to internal or external resources by supplying crafted URLs...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MQTT Channel Handler process due to improper handling of the clientid argument. An attacker can gain unauthorized access and perform actions with insufficient authorization by sending crafted requests...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MQTT Channel Handler process due to improper handling of the clientid argument. An attacker can gain unauthorized access and perform actions with insufficient authorization by sending crafted requests...
Symlink Attack
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Symlink Attack via the fs.link process. An attacker can gain unauthorized access to sensitive files or corrupt file contents by crafting an archive containing a hardlink...
Authorization Bypass Through User-Controlled Key
Overview @arikusi/deepseek-mcp-server is a MCP Server for DeepSeek API integration - enables Claude Code to use DeepSeek Chat and Reasoner models Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the SessionStore process, which accepts...
Missing Authentication for Critical Function
Overview @arikusi/deepseek-mcp-server is a MCP Server for DeepSeek API integration - enables Claude Code to use DeepSeek Chat and Reasoner models Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the POST /mcp endpoint due to the absence of...
Directory Traversal
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the safeMakeDir function and extraction path validation process. An attacker can write arbitrary files outside the intended...
Symlink Attack
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Symlink Attack in the symlink handling process. An attacker can create arbitrary symbolic links outside the intended extraction directory by crafting an archive with...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ntitle parameter in the PFS module, which is processed through the TXT filter in pfs.main.php. An attacker can execute arbitrary scripts in the browser of users who view the affected folder listing by...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the admin.php configuration update process. An attacker can modify administrator settings by tricking a logged-in administrator into submitting a forged POST request, which disables the file...
Unsafe Dependency Resolution
Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution when the gh codespace jupyter process opens a JupyterLab URL supplied by a process inside a Codespace without validating that it is a loopback HTTP or HTTPS address. An attacker can execute arbitrary command...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the validation process for BGP UPDATE messages containing an empty ASPATH attribute. An attacker can cause a panic and terminate the peer session by sending a malformed UPDATE with a zero-length...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the validation process for BGP UPDATE messages containing an empty ASPATH attribute. An attacker can cause a panic and terminate the peer session by sending a malformed UPDATE with a zero-length...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the validation process for BGP UPDATE messages containing an empty ASPATH attribute. An attacker can cause a panic and terminate the peer session by sending a malformed UPDATE with a zero-length...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the BGP OPEN capability parsing process. An attacker can influence peer AS validation and capability negotiation by sending a specially crafted BGP OPEN message with a malformed capability length, causing the parse...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the BGP OPEN capability parsing process. An attacker can influence peer AS validation and capability negotiation by sending a specially crafted BGP OPEN message with a malformed capability length, causing the parse...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the BGP OPEN capability parsing process. An attacker can influence peer AS validation and capability negotiation by sending a specially crafted BGP OPEN message with a malformed capability length, causing the parse...
External Control of File Name or Path
Overview psd-tools is a Python package for working with Adobe Photoshop PSD files as described in specification. Affected versions of this package are vulnerable to External Control of File Name or Path through the save and open functions. An attacker can write arbitrary files to attacker-chosen...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to improper validation in the threshold counting process. An attacker can bypass multi-log threshold requirements by compromising a single log and forging multiple entries or...
External Control of File Name or Path
Overview py-rattler is an A blazing fast library to work with the conda ecosystem Affected versions of this package are vulnerable to External Control of File Name or Path via the build string in package metadata during cache materialization. An attacker can cause files to be written outside the...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect in the redirect URL validation process. An attacker can cause users to be redirected to arbitrary external sites by crafting a specially formatted URL that bypasses host and schema checks using a double slash prefix in the...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization due to insufficient permission checks on the configuration-view/detail/create endpoint. An attacker can gain unauthorized access to create class definitions and potentially escalate privileges by sending crafted...
Weak Password Recovery Mechanism for Forgotten Password
Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the resetPasswordUrl parameter in the password reset process. An attacker can gain unauthorized access to any administrator account and bypass two-factor authentication by...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the key parameter in the columnFilters array, which is directly interpolated into SQL queries with manual backtick wrapping. An attacker can extract sensitive database information, including password hashes, by injecti...
Malicious Package
Overview @kl-starfish/test-01 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Authorization Bypass Through User-Controlled Key
Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /api/v2/shop/payment-requests/hash, PUT /api/v2/shop/payment-requests/hash, and POST...
Incorrect Authorization
Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Incorrect Authorization in the PATCH /api/v2/shop/account/orders/tokenValue/payments/paymentId endpoint. An attacker can assign payment methods that are not enabled for th...
Improper Enforcement of Behavioral Workflow
Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow through the FormComponent process. An attacker can irreversibly modify or delete completed order data by performing actions suc...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the importEntry process when attacker-controlled input is passed to unserialize without restricting allowed classes. An attacker can achieve arbitrary code execution by tricking an authenticated admi...