Lucene search
K

10 matches found

NVD
NVD
added 2026/06/24 8:16 p.m.6 views

CVE-2026-27708

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's call method accepts an orderid parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data...

7.1CVSS0.00265EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 7:24 p.m.8 views

CVE-2026-27708

FOSSBilling, before 0.8.0, is vulnerable to an IDOR in the Servicecustom Client API: the __call method accepts an order_id and fetches the order without ensuring the authenticated client owns it, enabling cross-client access to other clients’ orders and exposing PII and service configuration data...

7.1CVSS5.8AI score0.00265EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 7:24 p.m.14 views

CVE-2026-27708 FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's call method accepts an orderid parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data...

7.1CVSS0.00265EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.8 views

PT-2026-52076

Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description The Servicecustom Client API's call method accepts an order id parameter and retrieves the associated order without verifying if the authenticated client owns it. This allows an authenticated...

7.1CVSS5.8AI score0.00265EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/04 9:29 p.m.27 views

CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

7.1CVSS0.00267EPSS
Exploits0References3
EUVD
EUVD
added 2026/02/04 9:29 p.m.7 views

EUVD-2026-5335

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

7.1CVSS5.3AI score0.00267EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/04 9:29 p.m.4 views

CVE-2026-25536

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

7.1CVSS5.3AI score0.00267EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/02/04 9:29 p.m.42 views

CVE-2026-25536

CVE-2026-25536 affects the MCP TypeScript SDK. From versions 1.10.0 through 1.25.3, cross‑client data can leak when a single McpServer/Server and transport instance is reused across multiple client connections (notably in stateless StreamableHTTPServerTransport deployments). The issue arises from...

7.1CVSS5.3AI score0.00267EPSS
Exploits0References7Affected Software1
CNNVD
CNNVD
added 2023/05/02 12:0 a.m.4 views

Flask 安全漏洞

Pallets Project Flask is a lightweight WSGI Web Server Gateway Interface application framework from the Pallets Project. A security vulnerability exists in Flask where a data response for one client may be cached and later sent by a proxy to other clients...

7.5CVSS7.6AI score0.01261EPSS
Exploits1References15
PyPA
PyPA
added 2021/02/22 3:15 a.m.6 views

PYSEC-2021-113

Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channe...

7.4CVSS6.5AI score0.02658EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder