Lucene search
K

33571 matches found

Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview animatecss-postcss-plugin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview tailwind-animates is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview db-plog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview db-connector-log is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview db-convertor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview cache-section-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview tailwind-typography-stylecss is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Malicious Package

Overview @modhamanish/rn-mm-template is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GetEndpoints process. An attacker can cause the server to allocate excessive memory by sending a GetEndpointsRequest with an extremely large endpointUrl field, delivered in...

7.5CVSS6AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2 days ago5 views

Malicious Package

Overview vitest-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Missing Authorization

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace A...

8.8CVSS7.3AI score0.00337EPSS
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace API endpoints. An authenticated attacker can bypass access controls by sending trace read, search, delete, update, linking, or assessment requests for experiments they do...

8.8CVSS7.2AI score0.00337EPSS
Exploits0References2
Snyk
Snyk
added 2 days ago1 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the FindServers process. An attacker can cause the server to allocate excessive memory by sending a FindServersRequest with an unbounded serverUris field, delivering a very large...

8.7CVSS6.2AI score0.00388EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via the preview view in wagtail/images/views/images.py. An attacker can preview images they do not have...

6.5CVSS6AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Allocation of Resources Without Limits or Throttling

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the previewrequest, imageid, filterspec view in wagtail/images/views/images.py. An authenticated admin can...

5.1CVSS5.8AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Prototype Pollution

Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying user-controlled...

6.5CVSS6.5AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cross-site Scripting (XSS)

Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change sanitization paths. An...

7.2CVSS5.7AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cross-site Scripting (XSS)

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. Details Cross-si...

5.4CVSS5.7AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Directory Traversal

Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Directory Traversal via the preprocess method in the FileExplorer component. An attacker can read arbitrary files outside the configured rootdir by...

8.7CVSS6.5AI score0.0069EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the createconfig path in awscli/customizations/codedeploy/register.py. An attacker can read the CodeDeploy on-premises configuration file by accessing it on the same Unix-like ho...

6.8CVSS6AI score0.00101EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Deserialization of Untrusted Data

Overview software.amazon.jdbc:aws-advanced-jdbc-wrapper is an Amazon Web Services AWS Advanced JDBC Wrapper Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CachedResultSet deserialization path in the RemoteQueryCachePlugin. An attacker can execute...

7.7CVSS6.7AI score0.00407EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via improper handling of user-supplied input in the Special:Drilldown process. An attacker can execute arbitrary SQL commands by injecting crafted input. Remediation Upgrade mediawiki/cargo to version 3.9.1 or higher...

8.3CVSS6.2AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' through the getResourceFromIri process. An attacker can assign a resource of an unintended...

7.1CVSS6AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Sensitive Cookie with Improper SameSite Attribute

Overview org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client AHC classes. Affected versions of this package are vulnerable to Sensitive Cookie with Improper SameSite Attribute via ThreadSafeCookieStore in ThreadSafeCookieStore.add.... An attacker can plant a cookie f...

6.3CVSS6AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via unsafe JavaBean materialization in com.mchange.v2.naming.JavaBeanObjectFactory. An attacker can trigger arbitrary class construction and property initialization by supplying a malicious JNDI Referen...

7.5CVSS6.1AI score0.00327EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Weak Password Recovery Mechanism for Forgotten Password

Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password through the loginlink process. An attacker can gain unauthorized access to user accounts by reusing a previously issued password reset link after the password has been changed. Thi...

5.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Compose.php process. An attacker can access arbitrary files on the server by crafting image source URLs containing traversal sequences after a valid CKEditor path prefix, which bypasses prefix validation and...

7.1CVSS6.5AI score0.00379EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Directory Traversal

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Directory Traversal in the audit device validation logic when the legacy file audit path option is enabled. An attacker can access unauthorized directories by...

5.9CVSS6.6AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Timing Attack

Overview pay is a package for processing payments in Ruby on Rails apps Affected versions of this package are vulnerable to Timing Attack via the validsignature? function. An attacker can recover valid webhook signatures by sending multiple requests with crafted Paddle-Signature header values and...

9.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization in the checkSecurity process. An attacker can execute unauthorized filters, tags, or functions by manipulating the sandbox state between render...

8.7CVSS6AI score
Exploits0References3
Snyk
Snyk
added 3 days ago3 views

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the UnmarshalJSON function when processing attacker-controlled short ciphertexts. An attacker can cause the server to panic and disrupt service by submitting a specially crafted JSON payload with a...

5.3CVSS6AI score
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

External Control of File Name or Path

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to External Control of File Name or Path via the H5IOStore.verifydataset function and the fileeditor.py process. An attacker can access arbitrary files on the filesystem by...

6.8CVSS6.3AI score0.00127EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Deserialization of Untrusted Data

Overview ray is an A system for parallel and distributed Python that unifies the ML ecosystem. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the readwebdataset function. An attacker can execute arbitrary code on remote workers by supplying a specially...

8.8CVSS6.4AI score0.00483EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with data...

8.5CVSS6.1AI score0.00175EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago5 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with data...

8.5CVSS6.1AI score0.00154EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago5 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with dat...

8.5CVSS6.1AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago5 views

Server-side Request Forgery (SSRF)

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request process. An attacker can access internal resources and potentially disclose sensitive...

8.5CVSS5.9AI score0.00148EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago5 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the process responsible for dynamically managing code resources. An attacker can execute arbitrary code,...

8.5CVSS6.2AI score0.00155EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with dat...

8.5CVSS6.1AI score0.00169EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago7 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with dat...

8.5CVSS6.1AI score0.00154EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' in the process responsible for dynamically managing code...

8.5CVSS6AI score0.00169EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Arbitrary Code Injection

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Arbitrary Code Injection in the code generation process. An attacker can execute arbitrary code, escalate privileges, tamper with data, and...

8.5CVSS6.2AI score0.00175EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Arbitrary Code Injection

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Arbitrary Code Injection via the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with data, and...

8.5CVSS6.1AI score0.00164EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data via improper validation of allowed inputs. An attacker can execute arbitrary code, escalate privileges, tampe...

8.5CVSS6.1AI score0.00155EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Improper Input Validation

Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Input Validation via improper validation of session parameters in the payment integration plugins and the use of shared cryptographic keys and salts across unrelated...

9.9CVSS6AI score0.00239EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Relative Path Traversal

Overview clearml is a ClearML - Auto-Magical Experiment Manager, Version Control, and MLOps for AI Affected versions of this package are vulnerable to Relative Path Traversal via the StorageManager.extracttocache process. An attacker can write arbitrary files to the filesystem by uploading a...

4.8CVSS6.7AI score0.00357EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Uncaught Exception

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Uncaught Exception in the URL normalization process when handling malformed percent-encoded sequences in incoming request paths. An attacker can cause the Node.js process to terminate...

8.7CVSS6AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago3 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via the path parameter handling process. An attacker can gain unauthorized access to protected route handlers by sending a crafted URL containing an encoded slas...

9.3CVSS6AI score0.00299EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago4 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process that handles user requests without proper validation of request origin. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into submitting...

8.3CVSS6AI score0.00157EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of user-supplied input in the map format. An attacker can execute arbitrary JavaScript code in the context of users viewing affected pages by injecting malicious payloads. Details Cross-sit...

8.3CVSS5.8AI score0.00268EPSS
Exploits0References2
Total number of security vulnerabilities33571