32434 matches found
Malicious Package
Overview vkzmn is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview hunsterx-package is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview velocityfix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview unsafe-malicious-package is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview polymarket-clob-math is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ts-einkle-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ts-ankle is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ts-einkle is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview gx-npm-feature-flags is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview gx-npm-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview gx-npm-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview @vpms/design-system is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @epsteinlovekids483/crossmint-wallets-sdk-pentest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview crossmint-wallets-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the decodedlta function. An attacker can cause memory corruption, potentially leading to information disclosure, data modification, or application crash by supplying a crafted media stream containing a malicious...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound through the processing of a 32-bit attribute count received from a remote server in the publickey subsystem. An attacker can cause a heap buffer overflow by sending a specially crafted response that trigge...
Use of Uninitialized Resource
Overview Affected versions of this package are vulnerable to Use of Uninitialized Resource in the cleanup process of the publickey list when a parse failure occurs. An attacker can cause memory corruption or a denial of service by sending a malformed response from a malicious SSH server that...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the handling of HTTP/1.1 Upgrade requests containing a Content-Length header and body on reusable keep-alive backend connections. An attacker can manipulate backend responses by crafting ambiguous HTTP messages...
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the extraction process. An attacker can bypass security warnings and spoof file content by crafting a RAR5 archive with specially named alternate data streams that overwrite the intended Internet-zone...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-gitlab is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package in a...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-ldap-auth-backend is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-ldap-auth is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package in a...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-gitlab-backend is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package...
Directory Traversal
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names with traversal components in...
Directory Traversal
Overview @pnpm/installing.env-installer is an Installer for configurational dependencies Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names wi...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the patch-remove process. An attacker can cause deletion of arbitrary files outside the intended directory by crafting a patch entry that resolves outside the configured patches directory...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path through the patch-remove process. An attacker can cause deletion of arbitrary files outside the intended directory by crafting a patch entry that...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules directory by crafting a...
External Control of File Name or Path
Overview @pnpm/installing.deps-restorer is a Fast installation using only pnpm-lock.yaml Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodul...
External Control of File Name or Path
Overview @pnpm/fs.symlink-dependency is a Symlink a dependency to nodemodules Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules director...
External Control of File Name or Path
Overview @pnpm/installing.deps-installer is a Fast, disk space efficient installation engine Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended...
External Control of File Name or Path
Overview @pnpm/installing.deps-resolver is a Resolves dependency graph of a package Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules...
External Control of File Name or Path
Overview @pnpm/releasing.commands is a Commands for deploy, pack, and publish Affected versions of this package are vulnerable to External Control of File Name or Path via the stage download process. An attacker can overwrite arbitrary files outside the intended directory by crafting a manifest...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the stage download process. An attacker can overwrite arbitrary files outside the intended directory by crafting a manifest with malicious...
External Control of File Name or Path
Overview @pnpm/bins.resolver is a Returns bins of a package Affected versions of this package are vulnerable to External Control of File Name or Path through the handling of reserved or malformed bin names during global package operations. An attacker can cause deletion of critical directories...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path through the handling of reserved or malformed bin names during global package operations. An attacker can cause deletion of critical directories...
Unsafe Dependency Resolution
Overview @pnpm/building.policy is a Create a function for filtering out dependencies that are not allowed to be built Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the approval process for dependency sources. An attacker can execute unauthorized code during...
Unsafe Dependency Resolution
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the approval process for dependency sources. An attacker can execute unauthorized code during the build lifecycle by crafting a dependency source...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Live Preview process. An attacker can submit unauthorized content and generate shareable preview URLs by leveraging insufficient permission checks. Remediation Upgrade statamic/cms to version 5.74.0, 6.20....
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection in the export process. An attacker can execute arbitrary spreadsheet formulas by submitting specially crafted form values that begin with formula trigger characters, which are then interpreted as live formulas when the...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Glide process. An attacker can cause the server to make unauthorized HTTP requests to internal network addresses by supplying a crafted URL that exploits DNS rebinding. Remediation Upgrade...
Directory Traversal
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the patch application process. An attacker can overwrite or delete arbitrary files on the filesystem by submitting a malicious .patch file containing crafted...
Insufficiently Protected Credentials
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the config and auth-header flow, which binds unscoped user-level npm authToken credentials to whatever default registry a repository-local .npm...
Relative Path Traversal
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Relative Path Traversal in dependency alias handling, which passes alias names from package metadata into dependency linking as path components and normalizes them with path.join...
Arbitrary Argument Injection
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Arbitrary Argument Injection in the git fetcher at fetching/git-fetcher/src/index.ts, which passes the lockfile's resolution.commit value into git fetch and git checkout without a --...
Insufficient Verification of Data Authenticity
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the default behavior of pnpm install, which accepts tarball content that does not match the integrity value recorded in the lockfile...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the tiff decoder. An attacker can cause a panic and potentially disrupt service by providing a specially crafted image file with an out-of-bounds strip offset. Remediation Upgrade github.com/golang/image/tiff to...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the tiff decoder. An attacker can cause a panic and potentially disrupt service by providing a specially crafted image file with an out-of-bounds strip offset. Remediation Upgrade golang.org/x/image/tiff to versio...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Control Panel fieldtype endpoints. An attacker can access metadata and content for resources without proper permissions by sending crafted requests as an authenticated user. Remediation Upgrade statamic/c...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the proxy process. An attacker can access internal network resources and cloud metadata endpoints by exploiting a race condition between DNS validation and the actual HTTP request, using DNS rebinding...