13977 matches found
Fedora 44 : rubygem-json (2026-3a7663d43d)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3a7663d43d advisory. New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 Tenable has extract...
Session Fixation
Overview mcp is a The official Ruby SDK for Model Context Protocol servers and clients Affected versions of this package are vulnerable to Session Fixation through the storestreamforsession process in lib/mcp/server/transports/streamablehttptransport.rb. An attacker can intercept all subsequent...
CVE-2026-33946
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
EUVD-2026-16866
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
CVE-2026-33946
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
CVE-2026-33946
The CVE affects the MCP Ruby SDK prior to 0.9.2. In streamable_http_transport.rb, an attacker with a valid session ID can hijack the victim’s SSE stream and intercept real-time data, due to insufficient session binding. Version 0.9.2 patches this. No additional exploit details are provided beyond...
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
Ruby LSP has arbitrary code execution through branch setting
Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...
GHSA-C4R5-FXQW-VH93 Ruby LSP has arbitrary code execution through branch setting
Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via unsanitized interpolation of the branch setting in the Gemfile generation process. An attacker can execute arbitrary Ruby code by crafting a malicious .vscode/settings.json or equivalent workspace...
MAL-2026-2265 Malicious code in monolith-twirp-codingagentintegrations-codingagentintegrations (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 24ecd94ab40a4a1b574b48137b92d60ad65d610301ee07661c928706bd54c81b The OpenSSF Package Analysis project identified 'monolith-twirp-codingagentintegrations-codingagentintegrations' @ 1.0.2 rubygems as malicious. ...
Malicious code in monolith-twirp-codingagentintegrations-codingagentintegrations (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 24ecd94ab40a4a1b574b48137b92d60ad65d610301ee07661c928706bd54c81b The OpenSSF Package Analysis project identified 'monolith-twirp-codingagentintegrations-codingagentintegrations' @ 1.0.2 rubygems as malicious. ...
Malicious code in monolith-twirp-copilot-registry (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d1eb9592b2f976d7d487d44c8f45592b2953e5f51edfeee7242e020dfb64176f The OpenSSF Package Analysis project identified 'monolith-twirp-copilot-registry' @ 1.0.6 rubygems as malicious. It is considered malicious...
MAL-2026-2266 Malicious code in monolith-twirp-copilot-registry (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d1eb9592b2f976d7d487d44c8f45592b2953e5f51edfeee7242e020dfb64176f The OpenSSF Package Analysis project identified 'monolith-twirp-copilot-registry' @ 1.0.6 rubygems as malicious. It is considered malicious...
Malicious code in monolith-twirp-partitioning-pull_requests (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 4214957e3e8849b6df7eb3bbd1b2c6e547fe8aa2c590a8a3a644e7d6ea8d73ed The OpenSSF Package Analysis project identified 'monolith-twirp-partitioning-pullrequests' @ 1.0.2 rubygems as malicious. It is considered...
MAL-2026-2267 Malicious code in monolith-twirp-partitioning-pull_requests (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 4214957e3e8849b6df7eb3bbd1b2c6e547fe8aa2c590a8a3a644e7d6ea8d73ed The OpenSSF Package Analysis project identified 'monolith-twirp-partitioning-pullrequests' @ 1.0.2 rubygems as malicious. It is considered...
MAL-2026-2262 Malicious code in monolith-twirp-pullsd-teams (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b0a21f2e863ad85bc56da074019b5369ed68dc7280d0c81ff65dd8425308c7f6 The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-teams' @ 1.1.1 rubygems as malicious. It is considered malicious because:...
Malicious code in monolith-twirp-loops-core (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 8d4a98f58930eb7f736a5c69a6cf5de5b6dd033785255d4d55ae1da5a5866629 The OpenSSF Package Analysis project identified 'monolith-twirp-loops-core' @ 1.0.2 rubygems as malicious. It is considered malicious because: -...