36346 matches found
Malicious Package
Overview ai-p2p is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview loader1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview websight-p2p is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview websight2-p2p is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview wordpad-text-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview vor8zakon is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview claude-token-tracker-mcp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @sectest429/hello-npm-world is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview field-plus is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview nyt-cms is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview n8n-nodes-rce-poc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview internallibv907 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Handling of Highly Compressed Data (Data Amplification)
Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification through the processing of untrusted .isdocx or .pdf files, where ZIP entries and embedded files are inflated or read without validating their uncompressed size. An attacker...
Command Injection
Overview systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection through the checkLinuxDCHPInterfaces function in lib/network.js. An attacker can execute arbitrary commands by supplying a malicious source path in a Lin...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the parseBaggageHeaders extraction path in dd-trace-core/src/main/java/datadog/trace/core/baggage/BaggagePropagator.java. An attacker can exhaust CPU and memory by sending a...
Server-side Request Forgery (SSRF)
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the region parameter in the POST /api/oauth/kiro/api-key endpoint. An attacker can cause requests to be sent to arbitrary hosts with sensiti...
Command Injection
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Command Injection via unvalidated arguments passed to the childprocess.spawn function. An attacker can execute arbitrary commands on the host operating system by sending malicio...
Allocation of Resources Without Limits or Throttling
Overview websocket-driver is a websocket protocol handler with pluggable I/O. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via message compression through the hybi message handling in lib/websocket/driver/hybi.js. An attacker can make a...
Improper Handling of Length Parameter Inconsistency
Overview websocket-driver is a websocket protocol handler with pluggable I/O. Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency through the hybi.js WebSocket frame processing in lib/websocket/driver. An attacker can corrupt how the server pars...
Malicious Package
Overview rhynpm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Cross-site Scripting (XSS)
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the printallbugpageword.php process. An attacker can execute arbitrary JavaScript in the context of another user by uploading an image attachment with a specially...
Improper Input Validation
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Improper Input Validation via the mcissueupdate process in the SOAP and REST APIs. An attacker can inject unauthorized TIMETRACKING and REMINDER notes by supplying a crafted notetype parameter,...
Authorization Bypass Through User-Controlled Key
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the REST and SOAP API update process. An attacker can assign unreleased product versions by sending crafted API requests with insufficient...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteWithPathPrefix process. An attacker can access unintended files by deleting a shared directory using a path with a trailing slash, which leaves a stale public share that may expose future content if...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteWithPathPrefix process. An attacker can access unintended files by deleting a shared directory using a path with a trailing slash, which leaves a stale public share that may expose future content if...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in the cleanUsername process. An attacker can gain unauthorized access to another user's files by registering a username that normalizes to the same home directory as an existin...
Directory Traversal
Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Directory Traversal in the archive builder process. An attacker can write files outside the intended extraction directory by uploading a file with a specially crafted...
Cross-site Scripting (XSS)
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the install.php process. An attacker can execute arbitrary scripts in the context of the victim's browser by crafting a malicious URL containing user-supplied...
Allocation of Resources Without Limits or Throttling
Overview ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the receiver.js. An attacker can cause memory exhaustion by sending incomplete fragmented WebSocket...
Cross-site Scripting (XSS)
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the printtestresult function in /admin/install.php. An attacker can inject malicious HTML or scripts by supplying crafted parameters, leading to credential phishing...
Server-side Request Forgery (SSRF)
Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the isPublicHost process. An attacker can access internal resources and retrieve sensitive information by supplying a specially crafted podcast...
Server-side Request Forgery (SSRF)
Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the isSafeUrl process. An attacker can access internal network resources and sensitive cloud metadata endpoints by supplying a crafted URL that...
Malicious Package
Overview fflask is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Server-side Request Forgery (SSRF)
Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the createPodcastChannel.view endpoint and the PodcastService::getStreamableUrl process. An attacker can cause the backend to make arbitrary HTTP...
Server-side Request Forgery (SSRF)
Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the openStream function. An attacker can retrieve sensitive information from internal network resources by supplying a crafted URL to the...
Server-side Request Forgery (SSRF)
Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the createPodcastChannel.view process. An attacker can cause the server to initiate HTTP requests to internal or private network resources by...
Missing Authorization
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Missing Authorization via the REST and SOAP API process. An attacker can modify issue statuses without proper authorization by sending crafted API requests that bypass intended access controls...
Eval Injection
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Eval Injection in the admconfigset.php process. An attacker can execute arbitrary code by submitting a specially crafted configuration value that defines a class, which is then hoisted and...
Authorization Bypass Through User-Controlled Key
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the mcichecklogin function in the SOAP API. An attacker can gain unauthorized administrator access by supplying a valid cookiestring and a...
SQL Injection
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to SQL Injection via the historyorder configuration value in the historyapi.php process. An attacker can execute arbitrary SQL commands by injecting malicious input into the configuration, which i...
Malicious Package
Overview datefmt-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview npm-rce-poc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Improper Privilege Management
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Improper Privilege Management in the user/add endpoint. An attacker can gain unauthorized administrative privileges by sending a POST request with the...