Malicious Package

Overview libsignal-node-travatiger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview datacamp-light is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview chai-as-uphelded is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview chai-as-attested is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview ts-wross is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview node-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview node-core-libs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview node-fetch-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview search-from-search is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview crud-respect is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview onboarding-respects-modal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview respects-switch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview setka-editor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview carousel-controller-mixin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ensurepip.runpip function. An attacker can execute arbitrary code by crafting malicious pickle files...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect in the normalization of the HTTP Location header during redirects. An attacker can redirect users to an arbitrary external site by supplying specially crafted input containing ASCII tab, carriage return, or newline...

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the idlelib.autocomplete.AutoComplete.getentity function. An attacker can execute arbitrary commands by...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ImageColumn or ImageEntry components rendering raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ImageColumn or ImageEntry components rendering raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious...

Missing Authorization

Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Missing Authorization through the WithFileUploads trait. An attacker can upload arbitrary files to temporary storage by submitting...

Timing Attack

Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Timing Attack via the login page. An attacker can determine whether specific email addresses are registered by measuring response tim...

Improper Enforcement of Behavioral Workflow

Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow through the improper handling of recovery codes in app-based multi-factor authentication...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the RichEditor field when it is disabled, as its state is rendered without sanitizing HTML content. An attacker can execute arbitrary HTML or JavaScript in the context of users viewing the form by injecting...

Improper Handling of Length Parameter Inconsistency

Overview zeroconf is a Pure Python Multicast DNS Service Discovery Library Bonjour/Avahi compatible Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the readcharacterstring and readstring functions. An attacker can inject malicious...

Deserialization of Untrusted Data

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the File::prohibitWrappers function. An attacker can execute arbitrary code or read files b...

Infinite loop

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Infinite loop through the addarticlesthread method in PdfWriter when processing PDF thread/article structures. An attacker can...

Server-side Request Forgery (SSRF)

Overview phpseclib/phpseclib is a PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the X509::validateSignature function that follows a URL from Authority...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JMX RMI connector. An attacker can execute arbitrary code on the server by sending specially crafted serialized Java objects prior to authentication. Note: This is only exploitable if the JMX...

Malicious Package

Overview free-anthropic-claude is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview free-claude is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

Missing Authorization

Overview chainlit is a Build Conversational AI. Affected versions of this package are vulnerable to Missing Authorization via the restoreexistingsession path in the WebSocket session restoration. An attacker can gain unauthorized access to another user's session and assume their permissions and...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the NestedParamsEncoder module through the dehash routine. An attacker can cause the application to crash and exhaust system resources by submitting a deeply nested query string that triggers uncontrolled...

SQL Injection

Overview doris-mcp-server is an Enterprise-grade Model Context Protocol MCP server implementation for Apache Doris Affected versions of this package are vulnerable to SQL Injection via the metadata query path. An attacker can gain unauthorized access to metadata outside the intended database scop...

Malicious Package

Overview node-path-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview mddriver is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection via the SearchFirstActiveDirectoryRealm.findUserDn function. An attacker can manipulate the LDAP search filter by injecting metacharacters , , , , NUL into the username field, which may result in authentication confusion...

Key Exchange without Entity Authentication

Overview Affected versions of this package are vulnerable to Key Exchange without Entity Authentication due to the SSH client not verifying remote host keys for git+ssh:// connections. An attacker can intercept and compromise mirrored repositories by performing man-in-the-middle attacks...

Use of Hard-coded Credentials

Overview com.linecorp.centraldogma:centraldogma-server is a service configuration repository based on Git, ZooKeeper and HTTP/2 centraldogma-server. Affected versions of this package are vulnerable to Use of Hard-coded Credentials in the ZooKeeperReplicationConfig.secret when the replication.secr...

Malicious Package

Overview apintergrationpost is a malicious package. This package conceals a Linux remote access trojan RAT called MYRA. The package's documentation claims it is designed for "authorized red team exercises and EDR validation." Regardless of the publisher's intent, it should be treated as malicious...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper handling of integer values in the storeAtts function. An attacker can cause memory corruption or potentially execute arbitrary code by providing specially crafted input that triggers the...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the addBinding function. An attacker can cause memory corruption or potentially execute arbitrary code by providing crafted input that triggers an integer overflow. Remediation A fix was pushed into th...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the xmlwf process when the -d parameter is used to specify an output directory. An attacker can cause unintended behavior or potentially execute arbitrary code by providing a specially crafted output...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper handling of integer values in the doProlog process, specifically involving storeEntityValue and the calculation of entity textLen. An attacker can cause memory corruption or potentially...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the getAttributeId function. An attacker can cause memory corruption or execute arbitrary code by providing specially crafted input that triggers an integer overflow. Remediation A fix was pushed into...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the resolveSystemId function. An attacker can cause unexpected behavior or potentially execute arbitrary code by providing specially crafted input that triggers an integer overflow during processing...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper handling of integer values in the copyString function. An attacker can cause memory corruption or potentially execute arbitrary code by providing specially crafted input that triggers the...