PT-2026-36531

A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get style guide/get best practices of the file server.py. The manipulation of the argument Language results in path traversal. It is possible to launch the attack remotely. The exploit has been made public a...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the username field in the FSx Windows File Server volume mounting process. An attacker can execute arbitrary shell commands with SYSTEM privileges on the underlying host by supplying specially crafted input. This i...

CVE-2026-7461

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a...

CVE-2026-7461

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a...

Amazon ECS Container Agent 操作系统命令注入漏洞

Amazon ECS Container Agent is an open-source elastic container service agent software developed by Amazon Web Services. Versions of Amazon ECS Container Agent prior to 1.103.0 contained an operating system command injection vulnerability. This vulnerability stems from improper handling of OS...

Filesystem MCP Server 路径遍历漏洞

The Filesystem MCP Server is a context-based protocol developed by Manan Sharma, which provides comprehensive access and manipulation of the file system. Version 1.0.0 of the Filesystem MCP Server contains a path traversal vulnerability. This vulnerability stems from improper handling of the...

CVE-2026-7315

The CVE affects eiceblue spire-pdf-mcp-server v0.1.1 (PDF File Handler, get_pdf_path). A flaw allows path traversal via a manipulated filepath, enabling a remote attack. Exploit has been published; the project was informed early via an issue but has not responded. No remediation or patch version ...

CVE-2026-7315 eiceblue spire-pdf-mcp-server PDF File server.py get_pdf_path path traversal

A flaw has been found in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function getpdfpath of the file src/spirepdfmcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. The attack can be launched remotely. The exploi...

CVE-2025-67223

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

CVE-2025-67223

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

CVE-2025-67223

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

CVE-2025-67223

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

PT-2026-35739

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

EUVD-2025-209585

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

CVE-2025-67223

The CVE concerns the Aranda File Server (AFS) component in Aranda Software Aranda Service Desk prior to 8.3.12. It stores daily activity logs with predictable names in a publicly accessible directory, enabling unauthenticated remote attackers to obtain direct virtual paths to uploaded files and b...

EUVD-2026-25906

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...

PT-2026-35532

A vulnerability was found in douinc mkdocs-mcp-plugin up to 0.4.1. This affects the function read document/list documents of the file server.py. Performing a manipulation of the argument docs dir/file path results in path traversal. The attack is possible to be carried out remotely. The exploit h...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via improper validation in the sanitizePath function. An attacker can access or modify files outside the intended directory boundary by crafting paths that bypass prefix-based checks. Details A Directory Traversal...

CVE-2026-6593

A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made...

CVE-2026-6593

A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made...