Malicious code in @citely/mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55faa6dd8d70be846b57b28ce2665a4a6bc1eafa6898f5f4f2cc8b25d96e1358 On startup of the documented entrypoint npx @citely/mcp-server, setupServer unconditionally invokes void runHarvest in dist/index.js. The harvester...

freerdp: FreeRDP: Denial of service via heap use-after-free during auto-reconnect

A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol. This vulnerability, a heap use-after-free, occurs during an auto-reconnect operation when the xfclipboardformatsfree function frees memory that is still being accessed by another thread. A remote attacker could...

GHSA-9V4J-7G44-QCQW Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

CVE-2026-33232

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service DoS through the server due to uncontrolled disk space consumption. The downloadagentfile...

CVE-2026-33234 AutoGPT: SendEmailBlock's IP blocklist bypass allows SSRF via user-controlled SMTP server

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogptplatform/backend/backend/blocks/emailblock.py accepts a user-supplied smtpserver string and smtpport integer as...

CVE-2026-33233

CVE-2026-33233 affects AutoGPT Platform: older releases (0.6.34–0.6.51) deserialize Redis cache bytes with pickle.loads without integrity checks, while writes use pickle.dumps into Redis. The read path blindly calls pickle.loads on bytes with no HMAC/signature or strict schema validation. An atta...

CVE-2026-33232

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service DoS through the server due to uncontrolled disk space consumption. The downloadagentfile...

EUVD-2026-30819

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service DoS through the server due to uncontrolled disk space consumption. The downloadagentfile...

Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection (CVE-2026-27641)

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection SSTI. Flask-Reuploaded has been patche...

@antv/auto-chart (>=2.0.0 <=2.1.0-alpha.0), @antv/thumbnails-component (>=2.0.0 <=2.0.0-alpha.2) potentially affected by unknown CVE via @antv/thumbnails (=2.0.0)

@antv/thumbnails NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/thumbnails and may be impacted: - @antv/auto-chart =2.0.0, =2.0.0, =2.0.0-alpha.2 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVTHUMBNAILS-16755087...

@antv/auto-chart (>=2.0.0 <=2.1.0-alpha.0), @antv/chart-advisor (>=2.0.0 <=2.1.0-alpha.1) +5 more potentially affected by unknown CVE via @antv/ckb (>=2.0.4 <=2.1.0-alpha.0)

@antv/ckb NPM version =2.0.4, =2.0.0, =2.0.0, =1.2.0-beta.0, =1.0.0-alpha.1, =2.0.0, =2.0.0, =0.0.1, =0.1.0-beta.57 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVCKB-16754938...

@antv/auto-chart (>=2.0.0 <=2.0.5-alpha.0), @antv/chart-advisor (>=2.0.4 <=2.0.5-alpha.0) +1 more potentially affected by unknown CVE via @antv/data-samples (=1.0.1)

@antv/data-samples NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/data-samples and may be impacted: - @antv/auto-chart =2.0.0, =2.0.4, =2.0.4, =2.0.5-alpha.0 Source cves: unknown CVE Source advisory:...

@antv/auto-chart (>=2.0.0 <=2.0.1), @antv/chartshaper (>=1.2.0-beta.0 <=1.2.0-beta.3) potentially affected by unknown CVE via @antv/g2plot-schemas (=1.2.2)

@antv/g2plot-schemas NPM version =1.2.2 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g2plot-schemas and may be impacted: - @antv/auto-chart =2.0.0, =1.2.0-beta.0, =1.2.0-beta.3 Source cves: unknown CVE Source advisory:...

@antv/auto-chart (>=2.0.0 <=2.1.0-alpha.0) potentially affected by unknown CVE via @antv/thumbnails-component (=2.0.0)

@antv/thumbnails-component NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/thumbnails-component and may be impacted: - @antv/auto-chart =2.0.0, =2.1.0-alpha.0 Source cves: unknown CVE Source advisory:...

@antv/auto-chart (>=2.0.0 <=2.1.0-alpha.0) potentially affected by unknown CVE via @antv/thumbnails-component (=2.0.0)

@antv/thumbnails-component NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/thumbnails-component and may be impacted: - @antv/auto-chart =2.0.0, =2.1.0-alpha.0 Source cves: unknown CVE Source advisory:...

@antv/auto-chart (>=2.0.0 <=2.1.0-alpha.0), @antv/ava (>=3.0.0 <=3.6.0-alpha.0) +18 more potentially affected by unknown CVE via @antv/color-schema (=0.2.3)

@antv/color-schema NPM version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/color-schema and may be impacted: - @antv/auto-chart =2.0.0, =3.0.0, =3.0.0, =2.0.0, =5.1.5, =0.1.0, =2.0.4, =0.1.7, =1.0.0, =3.4.1-formant, =3.3.2-formant,...

shadowstrike

⚡ ShadowStrike AI-Powered Advanced Security Testing Platf...

[SECURITY] Fedora 43 Update: valkey-8.1.7-1.fc43

Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing s...

PT-2026-41428

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks agains...