Lucene search
+L

36149 matches found

Snyk
Snyk
added 2026/06/24 3:18 p.m.7 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process that handles external URL connections. An attacker can cause the system to connect to an arbitrary URL with attacker-controlled credentials by tricking an authenticated user into making a...

5.4CVSS6.1AI score0.00101EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.8 views

Cross-site Scripting (XSS)

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Cross-site Scripting XSS through the Respond to Webhook binary response path in the webhook response handling code. An authenticated workflow editor can configure a public webhook to return...

7CVSS5.8AI score0.00216EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.4 views

User Impersonation

Overview @n8n/n8n-nodes-langchain is a Affected versions of this package are vulnerable to User Impersonation via the MicrosoftAgent365Trigger node failing to validate inbound requests. An attacker can execute workflows with attacker-controlled data by submitting forged payloads to the webhook UR...

7.2CVSS6AI score0.00276EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.7 views

Missing Authorization

Overview org.jenkins-ci.plugins:git-parameter is a plugin that allows you to assign git branch, tag, pull request or revision number as parameter in your builds. Affected versions of this package are vulnerable to Missing Authorization due to a missing permission check in the process. An attacker...

6.5CVSS6AI score0.00216EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.5 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the display of historical job and agent configurations. An attacker can access sensitive encrypted secret values by obtaining Extended Read permission. Remediation...

7.1CVSS6AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.5 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the Pipeline Snippet Generator process. An attacker can gain unauthorized access to instantiate types related to job or system configuration by submitting crafted input to the generator. Remediation Upgrade...

6.9CVSS5.8AI score0.00275EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.3 views

Missing Authorization

Overview org.jenkins-ci.plugins:assembla is a plugin that integrates Jenkins with Assembla tickets during SCM update / Build. Affected versions of this package are vulnerable to Missing Authorization due to a lack of permission validation in the process. An attacker can initiate unauthorized...

5.4CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.7 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the Pipeline Snippet Generator. An attacker can instantiate types related to job or system configuration other than Pipeline steps by tricking a user with the necessary permissions into submitting a...

6.5CVSS5.8AI score0.00158EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.9 views

XML External Entity (XXE) Injection

Overview org.jenkins-ci.plugins:assembla is a plugin that integrates Jenkins with Assembla tickets during SCM update / Build. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the XML parser. An attacker can extract sensitive information from the server or...

8.8CVSS6AI score0.00224EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:16 p.m.3 views

Cross-site Request Forgery (CSRF)

Overview org.jenkins-ci.plugins:assembla is a plugin that integrates Jenkins with Assembla tickets during SCM update / Build. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process that handles external URL connections. An attacker can cause unauthoriz...

5.4CVSS5.8AI score0.00128EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:16 p.m.3 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the unconditional disabling of SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint. An attacker can...

8.3CVSS6AI score0.00108EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:16 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process that connects to a user-specified URL using credentials IDs provided by the attacker. An attacker can obtain sensitive credential information by tricking an authenticated user into making ...

5.1CVSS6AI score0.0011EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 2:43 p.m.9 views

Malicious Package

Overview ui-core-system is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 2:40 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to a lack of permission checks in the connect process. An attacker can exfiltrate credentials by specifying a malicious URL and leveraging credential IDs obtained through other means. Remediation There is no...

5.4CVSS6AI score0.0014EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 2:8 p.m.9 views

Malicious Package

Overview react-simple-utils-kit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 2:8 p.m.11 views

Malicious Package

Overview ldapaotest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 2:8 p.m.9 views

Malicious Package

Overview react-campaign-optimizer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 2:8 p.m.7 views

Malicious Package

Overview date-format-helper2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:20 p.m.5 views

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the idlelib.debugobj.ObjectTreeItem.SetText function. An attacker can execute arbitrary commands by...

8.1CVSS6AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:20 p.m.5 views

Eval Injection

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Eval Injection via the fetchtip function. An attacker can execute arbitrary code by embedding malicious payloads in pickle files that are loade...

8.1CVSS6.1AI score0.00339EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 11:21 a.m.8 views

Incorrect Type Conversion or Cast

Overview nokogiri is a gem for parsing HTML, XML, SAX, and Reader. Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast in the protected initializecopywithargs copy helper behind Nodedup and clone, which unwraps its source argument as an xmlNode without a type...

5.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:23 a.m.7 views

Malicious Package

Overview multer-express is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:23 a.m.10 views

Malicious Package

Overview rapidsearch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:16 a.m.8 views

Malicious Package

Overview evmdotjs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:16 a.m.8 views

Malicious Package

Overview ethaccounts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:16 a.m.6 views

Malicious Package

Overview vercel-api-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:7 a.m.5 views

Malicious Package

Overview pretiex1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:7 a.m.9 views

Malicious Package

Overview pretiex2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 7:11 a.m.4 views

Expression Injection

Overview ch.qos.logback:logback-core is a logback-core module. Affected versions of this package are vulnerable to Expression Injection in the Janino-evaluated condition attribute of configuration elements, handled by IfModelHandler, whose denylist blocked only the literal new operator. A user wh...

7.2CVSS6.2AI score0.00122EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:53 a.m.11 views

Malicious Package

Overview tailwind-textform-fill is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:51 a.m.11 views

Embedded Malicious Code

Overview html-to-gutenberg is a Transform any valid HTML string into fully editable WP Gutenberg blocks in seconds rather than hours. Affected versions of this package are vulnerable to Embedded Malicious Code. This release contains a multi-stage, blockchain-C2 remote code execution loader in...

9.8CVSS6.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:44 a.m.5 views

Embedded Malicious Code

Overview fetch-page-assets is an A versatile Node.js module for extracting assets such as CSS files, JavaScript files, fonts, and images from HTML content or URLs. Affected versions of this package are vulnerable to Embedded Malicious Code. This release contains a multi-stage, blockchain-C2 remot...

9.8CVSS6.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:36 a.m.8 views

Malicious Package

Overview postcss-minify-selector-parser is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:36 a.m.11 views

Malicious Package

Overview aes-decode-runner-pro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:36 a.m.9 views

Malicious Package

Overview postcss-minify-selector is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:17 a.m.6 views

Malicious Package

Overview opt-archetype-check is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:17 a.m.9 views

Malicious Package

Overview markdownlint-cli2-fix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:17 a.m.7 views

Malicious Package

Overview node-vfs-polyfill is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:17 a.m.5 views

Malicious Package

Overview vscode-test-web is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:7 a.m.19 views

Prototype Pollution

Overview style-dictionary is a Style once, use everywhere. A build system for creating cross-platform styles. Affected versions of this package are vulnerable to Prototype Pollution via the convertTokenData function. An attacker can modify the prototype of built-in objects by supplying crafted...

8.8CVSS6.3AI score0.00132EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 12:0 a.m.4 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in the OpenAtNoFollow process. An attacker can cause unintended file ownership or permission changes on host files by placing a symlink in the virt-launcher filesystem, which is then followed via...

7.3CVSS6AI score0.00122EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 12:0 a.m.3 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the notify server process. An attacker can disrupt the lifecycle management of co-located virtual machines by sending forged domain lifecycle events through a legitimate Unix socket after gaining shell access...

6.8CVSS6AI score0.0009EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 12:0 a.m.4 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in the OpenAtNoFollow process. An attacker can cause unintended file ownership or permission changes on host files by placing a symlink in the virt-launcher filesystem, which is then followed via...

7.3CVSS6AI score0.00122EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 12:0 a.m.4 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the notify server process. An attacker can disrupt the lifecycle management of co-located virtual machines by sending forged domain lifecycle events through a legitimate Unix socket after gaining shell access...

6.8CVSS6AI score0.0009EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:14 p.m.5 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the construction of callback URLs in OIDC, SAML, and logout authentication flows using the attacker-controlled HTTPHOST header. An attacker can intercept authorization codes or session tokens by manipulating the...

9.6CVSS5.8AI score0.00312EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:12 p.m.7 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' through the Accessory model mass assignment process. An attacker can...

8.5CVSS5.8AI score0.00389EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:11 p.m.5 views

Missing Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization in the process that retrieves S3 signature images. An attacker can access temporary signed S3 URLs for signature images by knowing the filename, allowi...

5.3CVSS5.8AI score0.00281EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:6 p.m.17 views

Improper Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Authorization in the file deletion process. An attacker can remove files attached to any asset, regardless of ownership or company assignment, by leveraging generic...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:6 p.m.10 views

Missing Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization due to insufficient permission checks in the store method of the UsersController. An attacker can assign full administrative privileges to a newly...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:3 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the BulkAssetsController::update process. An attacker can gain unauthorized access to assets belonging to other companies...

6.3CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities36149