We’ve disclosed3444vulnerabilities
by Snyk Security
Researchers
Avoid using all malicious instances of the ngx-bootstrap
package.
commandkit is a Beginner friendly command & event handler for Discord.js
Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference due to the ctx.commandName
property exposing the alias used instead of the canonical command name in both middleware and command execution contexts. An attacker can bypass intended access controls or execute unauthorized commands by invoking commands through their aliases, potentially leading to incorrect permission checks or audit logging.
##Workaround
This vulnerability can be mitigated by using ctx.command.data.command.name
for permission validations or by including all command aliases in permission logic.
llama-index-core is an Interface between LLMs and your data
Affected versions of this package are vulnerable to Insecure Temporary File due to setting the NLTK data directory to a shared, world-writable subdirectory. An attacker can overwrite, delete, or corrupt data files by exploiting the shared cache directory in a multi-user environment.
Affected versions of this package are vulnerable to Incorrect Authorization in the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value
parameter. An attacker can access and modify publication comments by sending crafted URLs as an authenticated user.
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.