Directory Traversal

Overview @pnpm/installing.env-installer is an Installer for configurational dependencies Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names wi...

Directory Traversal

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names with traversal components in...

External Control of File Name or Path

Overview @pnpm/installing.deps-resolver is a Resolves dependency graph of a package Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules...

External Control of File Name or Path

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules directory by crafting a...

External Control of File Name or Path

Overview @pnpm/installing.deps-installer is a Fast, disk space efficient installation engine Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended...

External Control of File Name or Path

Overview @pnpm/fs.symlink-dependency is a Symlink a dependency to nodemodules Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules director...

External Control of File Name or Path

Overview @pnpm/installing.deps-restorer is a Fast installation using only pnpm-lock.yaml Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodul...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Live Preview process. An attacker can submit unauthorized content and generate shareable preview URLs by leveraging insufficient permission checks. Remediation Upgrade statamic/cms to version 5.74.0, 6.20....

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection in the export process. An attacker can execute arbitrary spreadsheet formulas by submitting specially crafted form values that begin with formula trigger characters, which are then interpreted as live formulas when the...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Glide process. An attacker can cause the server to make unauthorized HTTP requests to internal network addresses by supplying a crafted URL that exploits DNS rebinding. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Control Panel fieldtype endpoints. An attacker can access metadata and content for resources without proper permissions by sending crafted requests as an authenticated user. Remediation Upgrade statamic/c...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the proxy process. An attacker can access internal network resources and cloud metadata endpoints by exploiting a race condition between DNS validation and the actual HTTP request, using DNS rebinding...

Unlock of a Resource that is not Locked

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...

Unlock of a Resource that is not Locked

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...

Insertion of Sensitive Information into Log File

Overview web-auth/webauthn-symfony-bundle is a FIDO2/Webauthn Security Bundle For Symfony. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the onAuthenticationSuccess and onAuthenticationFailure processes. An attacker can obtain sensitive...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the ServerConnection process. An attacker can bypass application-level size limits or cause incorrect application behavior by sending HTTP/2 DATA frames with a total byte count that does not match the declared...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the ServerConnection process. An attacker can bypass application-level size limits or cause incorrect application behavior by sending HTTP/2 DATA frames with a total byte count that does not match the declared...

NULL Pointer Dereference

Overview muhammara is a Create, read and modify PDF files and streams. A drop in replacement for hummusjs PDF library Affected versions of this package are vulnerable to NULL Pointer Dereference in the CreateFilterForStream process when handling PDF streams with /Filter /LZWDecode and a...

Information Exposure

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Information Exposure via the email update process. An attacker can determine whether specific email addresses are registered by sending repeated requests and observing the system's responses...

Missing Authorization

Overview pagekit/pagekit is a modular and lightweight CMS built with Symfony components and Vue.js. Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in the saveAction function of UserApiController. An attacker can gain elevated privileg...

Malicious Package

Overview rollup-plugin-polyfill-connect is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

Malicious Package

Overview react-icon-svgs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview ai-node-relay is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview ai-node-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview prism-silq is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview hexo-shoka-swiper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview hexo-deployer-wrangler is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

Malicious Package

Overview wao is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview vxui-react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview tw-style-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview pump-stream-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview pino-zod is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview zod-pino is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview pump-laserstream-parser is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

Malicious Package

Overview ttal2ttml is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview kdrive-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview analysis-chart is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview theme-color-picker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview package-uploader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview ref-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview ts-opus is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview wellnpm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the page editor process. An attacker can execute arbitrary scripts and potentially gain system access by injecting...

Insecure Temporary File

Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Insecure Temporary File via the...

Inefficient Algorithmic Complexity

Overview shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseInternal function of parse.js, where parse finalizes the token list with Array.prototype.concat inside a reduce, copying the...

Inefficient Algorithmic Complexity

Overview org.webjars.npm:shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseInternal function of parse.js, where parse finalizes the token list with Array.prototype.concat inside a...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview org.jenkins-ci.plugins:github-branch-source is a multibranch projects and organization folders from GitHub. Maintained by CloudBees, Inc. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via a missing permissio...

Command Injection

Overview org.jenkins-ci.plugins:git-client is a Jenkins git client plugin. Affected versions of this package are vulnerable to Command Injection via improper neutralization of workspace directory names in the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification...

Unsafe Dependency Resolution

Overview org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users. Affected versions of this package are vulnerable to Unsafe Dependency Resolution via Groovy AST transformation annotations during...

Improper Control of Dynamically-Managed Code Resources

Overview org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via incomplete sandbox...