35665 matches found
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the rendering of form field labels and hints within templates due to improper output escaping. An attacker can execute arbitrary JavaScript code in the context of users viewing affected forms b...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the deletePage process. An attacker can execute arbitrary SQL commands and exfiltrate sensitive data or disrupt database integrity by crafting a malicious page tag, making it non-orphaned through legitimate linking...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the query or queries filters in public API endpoints. An attacker can access sensitive database information by injecting crafted SQL expressions into numeric filter parameters, allowing them to infer data based on the...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the verifySignature process. An attacker can cause the server to initiate arbitrary outbound HTTP requests to internal or external hosts by supplying a crafted Signature.keyId header, potentially...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the verifySignature process due to improper verification of cryptographic signatures when handling the return value of opensslverify. An attacker can gain unauthorized access and perfo...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the erasespamedcomments process. An attacker can permanently delete arbitrary wiki pages, including critical or administrative pages, by sending crafted POST requests containing a suppr array with targeted page...
Improper Validation of Specified Type of Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the period parameter in the recentchanges action when user input is not properly validated before being interpolated into a SQL query. An attacker can access arbitrary database content ...
Improper Neutralization of Special Elements Used in a Template Engine
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the renderFromStringNoEscape process. An attacker can execute arbitrary code on the server by injecting malicious Twig expressions into the semantic template field...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Avo::AttachmentsControllercreate process. An attacker can modify or replace attachment content, including binary data, filename, and content-type metadata, by directly accessing the upload endpoint and...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the restore process. An attacker can execute arbitrary shell commands as the application user by crafting a malicious backup archive containing specially named files that are processed during restoration. Remediati...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to insufficient enforcement of host revocation and operator status during certificate issuance and renewal processes. An attacker can regain valid certificates for blocked or offboarded hosts by re-enrolling or...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to insufficient enforcement of host revocation and operator status during certificate issuance and renewal processes. An attacker can regain valid certificates for blocked or offboarded hosts by re-enrolling or...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to insufficient enforcement of host revocation and operator status during certificate issuance and renewal processes. An attacker can regain valid certificates for blocked or offboarded hosts by re-enrolling or...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to insufficient enforcement of host revocation and operator status during certificate issuance and renewal processes. An attacker can regain valid certificates for blocked or offboarded hosts by re-enrolling or...
External Control of Assumed-Immutable Web Parameter
Overview ghost is a publishing platform Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the donation checkout process. An attacker can obtain full paid gift memberships at a minimal cost by manipulating checkout metadata without...
Prototype Pollution
Overview @apidevtools/json-schema-ref-parser is a Parse, Resolve, and Dereference JSON Schema $ref pointers Affected versions of this package are vulnerable to Prototype Pollution in the Pointer.set process. An attacker can modify object prototype attributes by supplying crafted input to the...
Directory Traversal
Overview @mockoon/commons-server is a Mockoon's commons server library. Used in Mockoon desktop application and CLI. Affected versions of this package are vulnerable to Directory Traversal in the getSafeFilePath function in packages/commons-server/src/libs/server/server.ts, which validates the...
Command Injection
Overview ruflo is a Ruflo - Enterprise AI agent orchestration platform. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration Affected versions of this package are vulnerable to Command Injection due to the exposure of...
Insufficiently Protected Credentials
Overview n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Insufficiently Protected Credentials through the HTTP Request V3 pagination expression handling in packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts and...
Insufficiently Protected Credentials
Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Insufficiently Protected Credentials through the HTTP Request V3 pagination expression handling in packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts and...
Infinite loop
Overview Affected versions of this package are vulnerable to Infinite loop via the HTMLParser process. An attacker can cause excessive CPU consumption and render the system unresponsive by supplying specially crafted, malformed HTML with repeated unterminated markup declarations. Remediation A fi...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution via workflow credential handling in the workflow API and authentication guard code. An authenticated user with workflow:create permission can save, update, or import a crafted workflow that pollutes Object.prototype,...
Improper Restriction of Communication Channel to Intended Endpoints
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Improper Restriction of Communication Channel to Intended Endpoints via the AI Agents MCP verifier in packages/cli/src/modules/agents/builder/agents-builder-tools.service.ts. An attacker can send th...
User Impersonation
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to User Impersonation via the token-exchange identity-resolution service in packages/cli/src/modules/token-exchange/services/identity-resolution.service.ts. An attacker can authenticate as another user...
Malicious Package
Overview none123s is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview txs-builder-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Directory Traversal
Overview mcp-text-editor is a MCP Text Editor Server - Edit text files via MCP protocol Affected versions of this package are vulnerable to Directory Traversal via the validatefilepath function. An attacker can access or modify files outside the intended directory by supplying crafted input to th...
Cross-site Request Forgery (CSRF)
Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the modules/plugins.php process. An attacker can trigger unauthorized plugin installation,...
Arbitrary Code Injection
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection in the actionRenderCardPreview process. An attacker can execute arbitrary PHP code and disclose sensitive information by injecting malicious event handlers into the...
Directory Traversal
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Directory Traversal via the actionIcon process. An attacker can access arbitrary local .svg files by supplying crafted traversal sequences in the extension parameter, allowing disclosure of...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
Regular Expression Denial of Service (ReDoS)
Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by...
Regular Expression Denial of Service (ReDoS)
Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by...
Improper Validation of Specified Quantity in Input
Overview pymonocypher is a Python ctypes bindings to the Monocypher library Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the argon2i32 function when the provided buffer for nbblocks is too small. An attacker can cause memory corruption ...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via unsanitized input in the slug field during the export process. An attacker can cause arbitrary files and directories to be created or overwritten outside the intended export directory by submitting specially...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via unsanitized input in the slug field during the export process. An attacker can cause arbitrary files and directories to be created or overwritten outside the intended export directory by submitting specially...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization via the GetNotesByBookID function. An attacker can access metadata of soft-deleted notes belonging to any public book by sending unauthenticated requests with the deleted query parameter set to true. This allows...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the VALUE regex pattern within the selector parsing process. An attacker can cause excessive CPU consumption and block server threads by submitting specially crafted attribute selectors with...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the compile function. An attacker can cause excessive memory consumption by supplying a large comma-separated selector list, leading to process termination or degraded system...
External Control of File Name or Path
Overview phantom-audio is an AI audio engineering system -- makes Claude a professional audio engineer Affected versions of this package are vulnerable to External Control of File Name or Path via unconfined tool path handling and lack of input size restrictions. An attacker can write or overwrit...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the DefaultHttpClient process, which follows redirects and forwards sensitive headers such as Authorization, Cookie, and Proxy-Authorization to redirect targets across domain boundaries. An attack...
Insufficiently Protected Credentials
Overview io.micronaut:micronaut-http-client is a modern, JVM-based, full stack microservices framework designed for building modular, easily testable microservice applications. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the DefaultHttpClient proces...
Infinite loop
Overview Affected versions of this package are vulnerable to Infinite loop due to the lack of a maximum redirect count in the process handling HTTP redirections. An attacker can exhaust system resources and cause service disruption by triggering an infinite redirect loop. Remediation Upgrade...
Infinite loop
Overview io.micronaut:micronaut-http-client is a modern, JVM-based, full stack microservices framework designed for building modular, easily testable microservice applications. Affected versions of this package are vulnerable to Infinite loop due to the lack of a maximum redirect count in the...
Allocation of Resources Without Limits or Throttling
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the accumulation of Client instances in the clients list within the event management process. An...