Security Bulletin: Vulnerability in MCP Python SDK bundled with IBM Fusion, IBM Fusion HCI and Content-Aware Storage.

Summary IBM Fusion, IBM Fusion HCI and Content-Aware Storage includes MCP Python SDK. Following vulnerability could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. CVE-2025-66416. Vulnerability Details...

CVE-2025-66416

creationtimestamp| type| source ---|---|--- 2025-12-27 04:21:10+00:00| seen| https://bsky.app/profile/euvd-bot.bsky.social/post/3mawxfiwavy2f 2026-05-05 01:21:55+00:00| seen| https://gist.github.com/limcheekin/49ca8210543fa6a982930a55e27a261c...

aenvironment (=0.1.7rc1), agentfetch-mcp (>=1.0.0 <=1.0.1) +291 more potentially affected by CVE-2025-66416 via fastmcp (>=0.1.0 <=2.13.3)

fastmcp PYPI version =0.1.0, =1.0.0, =0.4.6, =1.8.0, =0.1.1, =3.2.0, =3.2.0, =4.2.2, =3.0.2, =0.1.0, =0.2.7, =1.0.0rc1, =0.2.7, =1.7.3, =1.8.3 and more Source cves: CVE-2025-66416 Source advisory: OSV:GHSA-RCFX-77HG-W2WV...

GHSA-RCFX-77HG-W2WV FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions 1.23 that were vulnerable to CVE-2025-66416. Users should upgrad...

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions 1.23 that were vulnerable to CVE-2025-66416. Users should upgrad...

CVE-2025-66416 vulnerabilities

Vulnerabilities for packages: open-webui, semgrep...

CVE-2025-66416 vulnerabilities

Vulnerabilities for packages: open-webui, semgrep...

1xn-vmcp (>=0.5.2 <=0.6.1), a2c-smcp (>=0.1.1rc0 <=0.1.5) +396 more potentially affected by CVE-2025-66416 via mcp (>=1.0.0 <=1.22.0)

mcp PYPI version =1.0.0, =0.5.2, =0.1.1rc0, =0.7.2, =1.1.0, =1.1.0, =1.0.0, =1.0.0, =0.4.0, =0.0.19, =1.0.0, =3.2.0, =3.2.0, =4.2.2, =4.3.3 and more Source cves: CVE-2025-66416 Source advisory: SNYK:PYTHON-MCP-14171912...

1xn-vmcp (>=0.5.2 <=0.6.1), a2c-smcp (>=0.1.1rc0 <=0.1.5) +405 more potentially affected by CVE-2025-66416 via mcp (>=0.9.1 <=1.22.0)

mcp PYPI version =0.9.1, =0.5.2, =0.1.1rc0, =0.7.2, =1.1.0, =1.1.0, =1.0.0, =1.0.0, =0.4.0, =0.0.19, =1.0.0, =3.2.0, =3.2.0, =4.2.2, =4.3.3 and more Source cves: CVE-2025-66416 Source advisory: OSV:GHSA-9H52-P55H-VW2F...

ScienceLogic SL1 SQL Injection Vulnerability (CNVD-2023-66416)

ScienceLogic SL1 is an application from ScienceLogic, Inc. Connect your real estate together to automate multidirectional data flow and workflow. A SQL injection vulnerability exists in ScienceLogic SL1 11.1.2 and earlier versions, which stems from a lack of validation of externally entered SQL...