commandkit is a Beginner friendly command & event handler for Discord.js

Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference due to the ctx.commandName property exposing the alias used instead of the canonical command name in both middleware and command execution contexts. An attacker can bypass intended access controls or execute unauthorized commands by invoking commands through their aliases, potentially leading to incorrect permission checks or audit logging.

##Workaround

This vulnerability can be mitigated by using ctx.command.data.command.name for permission validations or by including all command aliases in permission logic.

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Insecure Temporary File due to setting the NLTK data directory to a shared, world-writable subdirectory. An attacker can overwrite, delete, or corrupt data files by exploiting the shared cache directory in a multi-user environment.

Affected versions of this package are vulnerable to Incorrect Authorization in the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. An attacker can access and modify publication comments by sending crafted URLs as an authenticated user.