EUVD-2026-16866

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-31950 LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint /api/agents/chat/stream/:streamId does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and...

MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

Summary The Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events SSE stream and intercept all real-time data. Details Root Cause The StreamableHTTPTransport...

CVE-2026-27813

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events or delayed authorization response. Version 2026.2.0 contains a patch...

CVE-2026-34243

creationtimestamp| type| source ---|---|--- 2026-03-27 12:52:58+00:00| published-proof-of-concept| https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88 2026-03-31 16:28:40+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mieluuzr2r2c 2026-03-31...

CVE-2026-27858

creationtimestamp| type| source ---|---|--- 2026-03-27 09:00:45+00:00| seen| https://infosec.exchange/users/offseq/statuses/116300319602682921 2026-03-27 09:00:47+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mhzqyd3ezr2r 2026-03-27 11:16:46+00:00| seen|...

LibreChat 访问控制错误漏洞

LibreChat is an open-source, free, and highly customizable unified AI conversation platform. It allows for the aggregation and running of large models from any vendor within one interface. Versions of LibreChat 0.8.2-rc2 to 0.8.2-rc3 contain an access control vulnerability. This vulnerability ste...

PT-2026-28431

Name of the Vulnerable Software and Affected Versions LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 Description LibreChat, a ChatGPT clone, has an issue where the SSE streaming endpoint /api/agents/chat/stream/:streamId does not confirm that the user making the request is authorized to access th...

PT-2026-28576

Name of the Vulnerable Software and Affected Versions MCP Ruby SDK versions prior to 0.9.2 Description The Ruby SDK for Model Context Protocol servers and clients contains a session hijacking issue in its streamable http transport.rb implementation. An attacker obtaining a valid session ID can...

MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

Summary The Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events SSE stream and intercept all real-time data. Details Root Cause The StreamableHTTPTransport...

CVE-2026-22499

creationtimestamp| type| source ---|---|--- 2026-03-26 21:33:01+00:00| seen| Telegram/qlJD1CgOtbDgAxId7dIbMWTbI1DJPQzd8qf0Aqvg-8QSzlk 2026-03-26 21:33:13+00:00| seen| Telegram/5Bb0qK301Op7Yhojb7YEduqeLGlpAUlFeXZf97xc-7ChehU...

CVE-2026-33631

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ESEVENTTYPEAUTHOPEN events. Seven additional file...

CVE-2026-33632

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ESEVENTTYPEAUTHEXCHANGEDATA and ESEVENTTYPEAUTHCLONE — were not intercepted by ClearanceKit's opfilter system extension, allowing local...

CVE-2026-33632 ClearanceKit: opfilter policy bypass via exchangedata and clone operations

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ESEVENTTYPEAUTHEXCHANGEDATA and ESEVENTTYPEAUTHCLONE — were not intercepted by ClearanceKit's opfilter system extension, allowing local...

EUVD-2026-16373

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ESEVENTTYPEAUTHEXCHANGEDATA and ESEVENTTYPEAUTHCLONE — were not intercepted by ClearanceKit's opfilter system extension, allowing local...

CVE-2026-33632 ClearanceKit: opfilter policy bypass via exchangedata and clone operations

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ESEVENTTYPEAUTHEXCHANGEDATA and ESEVENTTYPEAUTHCLONE — were not intercepted by ClearanceKit's opfilter system extension, allowing local...

CVE-2026-33631

CVE-2026-33631 affects ClearanceKit on macOS. In the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy only for ES_EVENT_TYPE_AUTH_OPEN; seven additional file operation events were not intercepted, allowing local processes to bypass FAA policy wit...

EUVD-2026-16371

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ESEVENTTYPEAUTHOPEN events. Seven additional file...

CVE-2026-33631 ClearanceKit: opfilter policy bypass via non-open file operations

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ESEVENTTYPEAUTHOPEN events. Seven additional file...