MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...

CLEANSTART-2026-VZ08395 Security fixes for CVE-2026-24051, CVE-2026-27139, CVE-2026-27141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-39883, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 3.6.0-r3, 3.6.0-r4

Multiple security vulnerabilities affect the fluent-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

@agentionai/agents (>=0.11.0 <=0.12.0-beta), @andreafspeziale/nestjs-search (>=2.0.0 <=2.0.1) +83 more potentially affected by unknown CVE via @opensearch-project/opensearch (>=3.2.0 <=3.6.0)

@opensearch-project/opensearch NPM version =3.2.0, =0.11.0, =2.0.0, =1.8.0, =3.0.17, =1.0.84, =0.1.0, =1.0.1, =0.1.0, =0.1.0, =0.0.0, =0.5.1 and more Source cves: unknown CVE Source advisory: SNYK:JS-OPENSEARCHPROJECTOPENSEARCH-16640915...

CVE-2026-7308

An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. Th...

CVE-2026-7308 Nexus Repository 3 - Stored Cross-Site Scripting (XSS) via HTML Browse Page

An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. Th...

CVE-2026-7308

CVE-2026-7308 (Nexus Repository) : An authenticated user with upload permissions can store content that triggers arbitrary JavaScript in the browser of any user visiting the repository HTML index page, via Nexus Repository versions 3.6.0–3.91.x (3.92.0 fixes this). The attack is a stored XSS on t...

Sonatype Nexus Repository 跨站脚本漏洞

Sonatype Nexus Repository is a repository manager developed by Sonatype, Inc. in the United States. It is primarily used for managing, storing, and distributing software, etc. Versions of Sonatype Nexus Repository from 3.6.0 to 3.92.0 contained a cross-site scripting vulnerability. This...

Astra Linux - уязвимость в wireshark

An infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

Astra Linux - уязвимость в wireshark

A crash in the Sysdig Event dissector in Wireshark versions 3.6.0, 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

Astra Linux - уязвимость в wireshark

In Wireshark versions 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13, the VMS TCPIP trace file parser crashes. This issue allows for denial of service through malicious capture files...

Astra Linux - уязвимость в wireshark

The GDSDB infinite loop in Wireshark versions 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows for denial of service through packet injection or malicious capture files...

Astra Linux - уязвимость в wireshark

A memory leak in the BT SDP dissector in Wireshark versions 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows for denial of service through packet injection or malicious capture files...

Astra Linux - уязвимость в wireshark

The NetScaler file parser crashes in Wireshark versions 4.0.0 to 4.0.5, and 3.6.0 to 3.6.13. This issue allows for denial of service through crafted capture files...

Astra Linux - уязвимость в wireshark

A memory leak occurs in the NFS dissector in Wireshark versions 4.0.0 to 4.0.2, and 3.6.0 to 3.6.10. This issue may lead to denial of service through packet injection or with specially crafted capture files...

CVE-2026-5781

An authorization vulnerability in MphRx’s Minerva v3.6.0 affects the /minerva/moUser/update endpoint. An authenticated user with user-modification privileges can escalate to administrator by sending an HTTP request with a manipulated 'identifier' field. The CVSS metrics indicate high impact and p...

CVE-2026-5781

An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitati...

MphRx Minerva 访问控制错误漏洞

MphRx Minerva is a medical data integration and interoperability platform developed by MphRx Corporation. Version MphRx Minerva V3.6.0 contains a security vulnerability related to access control. This vulnerability stems from an insecure direct object reference in the /minerva/moUser/show endpoin...

PT-2026-35716

Name of the Vulnerable Software and Affected Versions Minerva version 3.6.0 Description An authorization issue in the '/minerva/moUser/update' endpoint allows an authenticated user with user modification privileges to escalate their privileges to administrator. This is achieved by sending an HTTP...

GHSA-J452-XHG8-QG39 Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution...

@amitojsingh366/keepkey-hardware-controller (=0.0.10), @apsiocoin/protobuf-serialization (=0.0.1-alpha1) +179 more potentially affected by CVE-2026-5758 via protocol-buffers-schema (>=3.1.0 <=3.6.0)

protocol-buffers-schema NPM version =3.1.0, =2.0.9, =2.0.7, =2.1.2, =0.0.25, =0.0.19, =2.0.12, =2.0.11, =0.0.12, =6.1.2, =0.18.4, =0.18.4, =1.16.11, =1.4.2, =2.14.3 and more Source cves: CVE-2026-5758 Source advisory: SNYK:JS-PROTOCOLBUFFERSSCHEMA-16420259...