3 matches found
DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport
dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header,...
RUSTSEC-2026-0140 DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport
dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header,...
CVE-2026-26317
OpenClaw (personal AI assistant) exposes loopback browser mutation endpoints that accept cross-origin requests prior to 2026.2.14, enabling cross‑site request forgery (CSRF) to trigger unauthorized state changes in the victim’s local browser control plane. Starting with 2026.2.14, mutating HTTP m...