Exposed Dangerous Method or Function

Overview @nuxt/webpack-builder is a Webpack bundler for Nuxt Affected versions of this package are vulnerable to Exposed Dangerous Method or Function when using webpack or rspack builder and navigating to a malicious website. An attacker can inject a script tag to request a classic script, which ...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the navigateTo function when handling external redirects in server-side rendering. An attacker can execute arbitrary HTML or JavaScript in the application's origin by supplying a crafted URL containing...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to the improper validation of annotations from org.opencontainers.image.title in pullArtifact methods in Registry and OCILayout. An attacker can manipulate this annotation to create a path that escapes the output...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to improper path validation in the repository checkout process. An attacker can modify files outside the intended target directory, including .git directories, by supplying a maliciously crafted repository payloa...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to improper path validation in the repository checkout process. An attacker can modify files outside the intended target directory, including .git directories, by supplying a maliciously crafted repository payloa...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to improper path validation in the repository checkout process. An attacker can modify files outside the intended target directory, including .git directories, by supplying a maliciously crafted repository payloa...

Malicious Package

Overview is-really-odd is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

Malicious Package

Overview chai-use-chain is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Insecure Storage of Sensitive Information

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information via the connectionSettings function. An attacker can gain unauthorized access to authentication tokens and impersonate other users by injectin...

Cross-site Scripting (XSS)

Overview @haxtheweb/iframe-loader is an Adds a loading indicator for iframes. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser...

Cross-site Scripting (XSS)

Overview @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

Use of a Broken or Risky Cryptographic Algorithm

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the hmacBase64 function. An attacker can obtain sensitive cryptographic material by sending a single unauthenticated HTTP request t...

Server-side Request Forgery (SSRF)

Overview @haxtheweb/open-apis is a Shared API infrastructure for HAXTheWeb advanced capabilities like importing, parsing, analysis, migration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper hostname validation in the cacheAddress, JOSHelpers, and...

Cross-site Scripting (XSS)

Overview @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting XSS via the video-player component's source and source-data attributes. An attacker can execute arbitrary JavaScript in the victim's browser and...

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via the video-player component's source and source-data attributes. An attacker can execute arbitrary JavaScript in the victim's browser and access sensitive...

Server-side Request Forgery (SSRF)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the createSite function. An attacker can access internal network resources and read arbitrary files by supplying crafted URLs or file paths to the...

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the GenFileChangeEvents handler. An attacker can obtain continuous access to sensitive file and directory information by connecting to the SSE endpoint without authentication. Remediation...

Allocation of Resources Without Limits or Throttling

Overview Scriban is a Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Today, not only Scriban can be used in text templating scenarios, but also can ...

Allocation of Resources Without Limits or Throttling

Overview Scriban.Signed is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Affected versions of this package are vulnerable to Allocation of Resources Without...

Malicious Package

Overview psxjson is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the frontend build process when it exits with a non-zero status. An attacker can obtain sensitive environment variables, including credentials, by reviewing build logs or archived build artifacts generated during...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the frontend build process when it exits with a non-zero status. An attacker can obtain sensitive environment variables, including credentials, by reviewing build logs or archived build artifacts generated during...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the frontend build process when it exits with a non-zero status. An attacker can obtain sensitive environment variables, including credentials, by reviewing build logs or archived build artifacts generated during...

Origin Validation Error

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Origin Validation Error in the /ajax-api endpoints. An attacker ca...

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the /ajax-api endpoints. An attacker can gain unauthorized access to the Assistant's configuration and execute arbitrary commands by sending crafted cross-origin requests from a malicious webpage. Remediation...

Malicious Package

Overview chai-as-attracted is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview chai-as-vec is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

Malicious Package

Overview chai-as-elevated is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Open Redirect

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect through the areWildcardsAllowed check in RedirectUtils. An attacker can bypass redirect URI...

User Impersonation

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to User Impersonation through the SessionCodeChecks logic in SessionCodeChecks.java. An attacker can reuse an...

External Control of Assumed-Immutable Web Parameter

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the SessionCodeChecks restart flow in the login sessi...

Authorization Bypass Through User-Controlled Key

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generateAccessToken path in...

Improper Validation of Syntactic Correctness of Input

Overview org.keycloak:keycloak-saml-core is an Identity and Access Management plugin for Keycloak. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the SAMLParser and SAML11ParserUtil code paths that handle SAML 1.1 assertions and protoc...

Insufficient Granularity of Access Control

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via the user handler in the resource account service. An attacker...

Incorrect Implementation of Authentication Algorithm

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm through the TokenManager and OIDC endpoint token checks ...

Client-Side Enforcement of Server-Side Security

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security through the processAction registration flow in the WebAuthn...

Missing Authorization

Overview glpi/glpi is a free Asset and IT Management Software package with ITIL Service Desk, licenses tracking and software auditing. Affected versions of this package are vulnerable to Missing Authorization in the export process. An attacker can gain access to the structure of forms they are no...

Replay Attack

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Replay Attack through the RequiredActionFactory and required-action implementations in the...

Replay Attack

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Replay Attack through the RequiredActionFactory and required-action implementations in the authentication flo...

Open Redirect

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via the TokenEndpoint introspection flow in the OIDC protocol handlers. An attacker can...

Directory Traversal

Overview @joplin/onenote-converter is an Used to import a OneNote archive into Joplin Affected versions of this package are vulnerable to Directory Traversal via the OneNote importer. An attacker can overwrite arbitrary files on disk by supplying a crafted .one file containing specially crafted...

Creation of Temporary File With Insecure Permissions

Overview Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the getorcreatenfstmpdir and createmodeldownloadingtmpdir functions. An attacker can modify model artifacts by exploiting these permissions, potentially leading to arbitrary code...

Creation of Temporary File With Insecure Permissions

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the...

Missing Authorization

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the extension automation feature. An attacker can perform unauthorized browser automation actions by tricking a user into interacting with attacker-controll...

Missing Authorization

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the window.postMessage bridge in the content script. An attacker can access, modify, or delete automation artifacts by sending crafted runtime messages with...

Missing Authorization

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the slidesDir parameter in the /v1/summarize endpoint. An attacker can write arbitrary files, such as slide.png and slides.json, to any writable directory a...