35547 matches found
Embedded Malicious Code
Overview jscrambler is a Jscrambler Code Integrity API client. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform infostealer. A malicious actor compromised an npm publishing credential associated with Jscrambler, which allowed the attacker ...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Server-side Request Forgery (SSRF)
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Crawl4AI backend process. An attacker can access internal network resources and sensitive informati...
Information Exposure
Overview praisonai is a PraisonAI TypeScript AI Agents Framework - Node.js, npm, and Javascript AI Agents Framework Affected versions of this package are vulnerable to Information Exposure due to insecure default configuration that binds to all interfaces without requiring an API key and allows...
Insecure Default Initialization of Resource
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
User Impersonation
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Arbitrary Code Injection
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the CodeAgent.executepython function. An attacker can execute arbitrary code and exfiltrate environment secrets...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Missing Authorization
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization in the PATCH routes for projects, issues, and agents, where insufficient authorization checks allow a workspace member to...
Missing Authorization
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Arbitrary File Upload
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Arbitrary File Upload in the file upload process when a malformed Content-Type header is supplied and the file extension is...
Server-side Request Forgery (SSRF)
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request process. An attacker can make arbitrary requests to internal or external syste...
Cross-site Scripting (XSS)
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper input neutralization during web page generation. An attacker can execute arbitrary script...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the process of modifying dynamically-determin...
Open Redirect
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Open Redirect via the URL redirection process. An attacker can redirect users to malicious sites or poison cache by crafting...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the deserialization process. An attacker can...
Malicious Package
Overview authvaultx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview auth-next-gen is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization via the printInventory process. An attacker can access inventory and cost/order metadata from modules that should be restricted by leveraging...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the UploadFileRequest process, which fails to properly sanitize SVG content unless PHP finfo reports image/svg+xml, and the...
Open Redirect
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Open Redirect via the redirect-intended process. An attacker can redirect users to arbitrary external websites by manipulating the Referer header during the user edit flow...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the headercolor setting in the branding configuration. An attacker with superadmin privileges can inject arbitrary CSS that impacts authenticate...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the Importer API endpoint when a user with CSV import capabilities and a valid API key can overwrite the createdby value of an import file. An...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the unaccepted-assets report delete endpoint. An attacker can remove pending checkout acceptance records belonging to...
Directory Traversal
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Directory Traversal via the image field during CSV import. An attacker can delete arbitrary files accessible to the server process by supplying a crafted path traversal stri...
CSV Injection
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to CSV Injection through the postActivityReport process. An attacker can cause arbitrary formula execution in spreadsheet software by injecting a specially crafted User-Agent...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization due to improper authorization in the legacy license checkin process. An attacker can reclaim license seats assigned to other users or assets by...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the ReverseProxy.Rewrite process when the internal authentication token is forwarded to backend services via the x-tsdproxy-auth-token header. An attacker can gain unauthorized management API access and escala...
Malicious Package
Overview type-elint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Missing Authentication for Critical Function
Overview clauster is a Self-hosted web UI for spawning and managing Claude Code remote-control bridges on a remote host. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the authentication process. An attacker can gain unauthorized access to the...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview prestashop/psfacetedsearch is a PrestaShop module that adds layered navigation filters. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the getFromCache function. An attacker can...
Malicious Package
Overview type-plint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview type-atob is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the auto-linking process by email, as the external identity provider does not verify ownership of the email address before linking accounts. An attacker can gain unauthorized access to a victim's local account...
Missing Authorization
Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Missing Authorization in the OAuth2 Token Exchange process. An attacker can gain elevated permissions by exchanging a low-privilege token for higher...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the session process. An attacker can bypass token expiration enforcement by providing a JWT without the exp claim, resulting in tokens from trusted issuers being accepted indefinitely. Remediation...
Improper Authentication
Overview prowler is a Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI,...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the BulkUsersController::destroy process. An attacker can gain unauthorized ability to soft-delete other non-admin users by sending a direct POST...
Missing Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization via the cancelbyadmin parameter in the asset request cancellation process. An attacker can cancel pending asset requests for other users by supplying a...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the markdown-textarea custom field processing. An attacker can execute arbitrary JavaScript in the context of another user by embedding a crafte...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the API location creation process when both Full Multiple Companies Support and scopelocationsfmcs are enabled. An attacker can create a child...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the assetid field in the API update process. An attacker can gain unauthorized access to assets outside their company...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the POST /api/v1/kits/kitid/licenses endpoint. An attacker can gain unauthorized access to and manipulate license object...
Improper Privilege Management
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Privilege Management via the UsersController::update process. An attacker can remove or downgrade another user's administrative or granular permissions by submittin...
Authorization Bypass Through User-Controlled Key
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via...
Relative Path Traversal
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Relative Path Traversal via the displaySig process. An attacker can access arbitrary files outside the intended directory by supplying crafted input to the filename paramete...
Directory Traversal
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
External Control of File Name or Path
Overview mcp-atlassian is a The Model Context Protocol MCP Atlassian integration is an open-source implementation that bridges Atlassian products Jira and Confluence with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with...
Protection Mechanism Failure
Overview safeinstall-cli is a Local-first CLI that blocks risky npm, pnpm, and bun installs before they run. Open source. Affected versions of this package are vulnerable to Protection Mechanism Failure through improper shell command parsing in the agent guard. An attacker can execute arbitrary...