Lucene search
+L

36149 matches found

Snyk
Snyk
added 2026/06/23 11:3 p.m.8 views

Missing Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization via the 2FA reset process. An attacker can gain unauthorized access to privileged accounts by resetting two-factor authentication for higher-privileged...

5.8CVSS5.8AI score0.00019EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 11:2 p.m.2 views

Missing Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization in the CSV import process. An attacker can gain unauthorized access to other user accounts by uploading a crafted CSV file to overwrite non-admin user...

8.5CVSS5.8AI score0.00037EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:46 p.m.9 views

Open Redirect

Overview Flask-Security is a Simple security for Flask apps. Affected versions of this package are vulnerable to Open Redirect via the validateredirecturl function. An attacker can redirect users to an attacker-controlled domain by crafting a specially formatted URL containing a backslash in the...

5.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:32 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the POST /two-factor process. An attacker can gain unauthorized access to user accounts by submitting unlimited TOTP...

6CVSS5.8AI score0.00034EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:27 p.m.4 views

Missing Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Missing Authorization in the API endpoints responsible for category creation, FAQ creation, FAQ updating, and question creation due to missing permissio...

7.1CVSS5.8AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:27 p.m.4 views

Missing Authorization

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Missing Authorization in the API endpoints responsible for category creation, FAQ creation, FAQ updating, and question creation due to missing permissio...

7.1CVSS5.8AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:24 p.m.3 views

Incorrect Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the bulk editing process. An attacker can disable administrative access and prevent legitimate users from logging in by modifying the activated an...

7.1CVSS5.8AI score0.00194EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:23 p.m.8 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the provider installation process. An attacker can cause arbitrary files to be written outside the intended working directory by placing a crafted symlink in the .terraform/providers directory an...

6.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:16 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the processPIDEvents goroutine. An attacker can cause the agent to become unresponsive by triggering the goroutine to block indefinitely in the openat2 syscall, preventing further...

6.9CVSS5.8AI score0.00017EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:16 p.m.6 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the processPIDEvents goroutine. An attacker can cause the agent to become unresponsive by triggering the goroutine to block indefinitely in the openat2 syscall, preventing further...

6.9CVSS5.8AI score0.00017EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:16 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the processPIDEvents goroutine. An attacker can cause the agent to become unresponsive by triggering the goroutine to block indefinitely in the openat2 syscall, preventing further...

6.9CVSS6AI score0.00017EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:16 p.m.6 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the processPIDEvents goroutine. An attacker can cause the agent to become unresponsive by triggering the goroutine to block indefinitely in the openat2 syscall, preventing further...

6.9CVSS6AI score0.00017EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:12 p.m.7 views

Incorrect Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the PATCH process to /api/v1/users/theirownid when a user has both users.edit and api permissions. An attacker can escalate their own privileges b...

7CVSS5.8AI score0.00182EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:11 p.m.6 views

Missing Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization in the selectlist API endpoint due to missing authorization checks. An attacker can enumerate all active user accounts, harvest usernames, collect...

7.1CVSS5.8AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:2 p.m.4 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the seek function of the tarfile module when processing tar archives in streaming mode. An attacker can cause the process to enter an infinite loop and exhaust system resources by providing a specially crafted archive...

8.2CVSS5.8AI score0.00433EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:2 p.m.5 views

Use of Weak Hash

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Use of Weak Hash due to the use of SHA-1 for hashing attachment passwords in the AbstractAttachment.php process. An attacker can gain unauthorized acces...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 10:2 p.m.4 views

Use of Weak Hash

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Use of Weak Hash due to the use of SHA-1 for hashing attachment passwords in the AbstractAttachment.php process. An attacker can gain unauthorized acces...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the BeanDeserializer.deserializeUsingPropertyBased method, whose property-buffering branch omits the prop.visibleInViewactiveView check that the creator-property branch performs. An attacker can populate...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.8 views

Incorrect Authorization

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.19 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object...

6.9CVSS6AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.7 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the POJOPropertiesCollector.renameProperties and BeanDeserializerFactory.addBeanProps methods, which rename rather than drop a property whose getter carri...

6.9CVSS6AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:23 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual method, which applies the per-property exclusions through handleByNameInclusion and then rebuilds the property m...

6.9CVSS5.8AI score0.00345EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:23 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object...

6.9CVSS6AI score0.00345EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:22 p.m.7 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the JDKFromStringDeserializer class, which constructs InetSocketAddress and resolves the hostname through DNS at deserialization time. An attacker can force the server to issue outbound DNS lookups fo...

6.9CVSS5.8AI score0.00219EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:22 p.m.16 views

Server-side Request Forgery (SSRF)

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the JDKFromStringDeserializer class,...

6.9CVSS5.8AI score0.00219EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:22 p.m.6 views

Incomplete List of Disallowed Inputs

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the...

9.2CVSS5.8AI score0.00695EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:22 p.m.5 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray method, which allowlists an array based only on clazz.isArray and does not validate the array's component type. An attacker who...

9.2CVSS5.8AI score0.00695EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:21 p.m.4 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the DatabindContext.resolveAndValidateGeneric method, which validates only the raw container class of a type identifier against the configured PolymorphicTypeValidator and not its nested generic type...

9.2CVSS6.4AI score0.00617EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/23 9:21 p.m.4 views

Deserialization of Untrusted Data

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the...

9.2CVSS6.4AI score0.00617EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/23 9:21 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the...

7.5CVSS5.8AI score0.00616EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.20 views

Cross-site Scripting (XSS)

Overview @earendil-works/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of Markdown link and image URLs during HTML session export. An attacker c...

2.5CVSS6AI score0.00132EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.14 views

Cross-site Scripting (XSS)

Overview @mariozechner/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of Markdown link and image URLs during HTML session export. An attacker can...

2.5CVSS6AI score0.00132EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.6 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @earendil-works/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the auth.json file write process. An attacker ca...

2.2CVSS5.8AI score0.00074EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.5 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @mariozechner/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the auth.json file write process. An attacker can...

2.2CVSS5.8AI score0.00074EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.6 views

Incorrect Authorization

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the...

6.5CVSS5.8AI score0.00211EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the UnwrappedPropertyHandler.processUnwrappedCreatorProperties method, which replays buffered JSON into creator parameters without consulting prop.visibleInViewactiveView. An attacker can set view-restricted...

6.5CVSS5.8AI score0.00211EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 7:20 p.m.5 views

Authorization Bypass

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Authorization Bypass in three Enterprise Edition Dynamic Credentials endpoints, which accept any authenticated session without performing per-resource ownership or scope checks. A user with any...

9.9CVSS6.1AI score0.00343EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 7:20 p.m.18 views

Cross-site Scripting (XSS)

Overview @n8n/n8n-nodes-langchain is a Affected versions of this package are vulnerable to Cross-site Scripting XSS via the webhookId parameter in the Chat Trigger node. An attacker can execute arbitrary JavaScript in the context of another user's session by injecting malicious code, which is the...

7CVSS5.9AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 7:20 p.m.6 views

Improper Export of Android Application Components

Overview Affected versions of this package are vulnerable to Improper Export of Android Application Components via the LocationSensorManager BroadcastReceiver process. An attacker can manipulate zone-based automations by sending a forged location result, causing unauthorized actions such as...

7.1CVSS5.8AI score0.00113EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 7:19 p.m.14 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the get method of the Konnected integration's HTTP endpoint, which does not enforce authentication. An attacker can access sensitive information about the alarm-panel switch state and zone...

7.6CVSS5.8AI score0.00193EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 7:11 p.m.6 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS via the useragent field in the participant logging process. An attacker can execute arbitrary JavaScript in the browser of a privileged us...

9.3CVSS6.1AI score0.002EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 7:9 p.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through the MoviePlaybackHandler and related handlers, which allow arbitrary file reads due to improper path validation. An attacker can gain full administrative access and execute arbitrary commands by exploiting a...

10CVSS6.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:53 p.m.6 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload through a multi-stage chain involving the download, getmediacontent, getcurrentuser, restore, and post processes. An attacker can gain unauthorized access, escalate privileges, read arbitrary files, and execute...

9.8CVSS6.3AI score
Exploits0References6
Snyk
Snyk
added 2026/06/23 6:37 p.m.7 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the post function in the ActionHandler process. An attacker can execute camera actions such as triggering snapshots, starting or stopping video recording, or running configured action scripts without...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:32 p.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the getmediapath function. An attacker can access arbitrary files on the filesystem by supplying an absolute path as the filename parameter, which causes the application to bypass directory restrictions and serve...

8.7CVSS6.5AI score0.00623EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 6:20 p.m.8 views

Directory Traversal

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Directory Traversal via the Clone or Push operations in the Git node when a local filesystem path is supplied as the source or target repository, bypassing the intended file sandbox. An attacker can...

7.7CVSS6.5AI score0.00495EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:19 p.m.4 views

Unprotected Transport of Credentials

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Unprotected Transport of Credentials in the SecurityScorecard node, whose report download operation attaches the SecurityScorecard API token to a request sent to a user-specified URL. A user with...

7.7CVSS6.1AI score0.00353EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:19 p.m.9 views

Incorrect Authorization

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Incorrect Authorization in the shared workflows. An attacker can gain unauthorized access to credentials belonging to other users by exploiting insufficient ownership checks via specific public API...

9.9CVSS5.9AI score0.00315EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:19 p.m.4 views

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input due to improper handling in the idnatounicodeinternal process. An attacker can cause information disclosure or application crashes by triggering out-of-bounds reads of uninitialized...

4CVSS5.8AI score0.0011EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 6:3 p.m.3 views

Interpretation Conflict

Overview OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Interpretation Conflict via the upload endpoints when reserved internal form fields are injected as query parameters or through parser differentials between Tornado and Flask. An...

7CVSS5.8AI score
Exploits0References3
Total number of security vulnerabilities36149