Snyk Security Database

unhead is a Full-stack manager built for any framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the acceptDataAttrs function, which allows attribute names containing spaces or illegal characters to be injected into SSR-rendered HTML tags. An attacker can execute arbitrary JavaScript in the context of the affected application by supplying specially crafted attribute names that include event handlers, leading to script execution when the manipulated HTML is rendered.

graphiti-core is an A temporal graph building library

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the SearchFilters.node_labels process. An attacker can execute arbitrary Cypher queries within the privileges of the connected graph database by supplying crafted label values that are concatenated into Cypher label expressions without validation. This can lead to unauthorized reading, modification, or deletion of graph data, and bypassing logical group isolation enforced at the query layer. This is only exploitable if untrusted input is passed to SearchFilters.node_labels or if an LLM client is induced to call search_nodes with attacker-controlled entity_types values.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Jackson implementation in the Spark History Server web UI. An attacker who can write event logs can achieve code execution by injecting malicious JSON payloads into event log files, which are then deserialized by the server, allowing execution of attacker-controlled commands on the host.