89439 matches found
CVE-2026-10690
This CVE affects wonderwhy-er DesktopCommanderMCP 0.2.37. The vulnerability is in the readFileFromUrl function (src/tools/filesystem.ts, read_file component) where manipulating the url argument enables server-side request forgery. It can be triggered remotely and an exploit is publicly available....
CVE-2026-10690 wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...
CVE-2026-10690
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...
CVE-2026-10690 wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...
PYSEC-2026-203
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does...
CVE-2026-10287
A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function getheaders of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been...
CVE-2026-49139
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the...
CVE-2026-10662
The CVE concerns ahujasid blender-mcp (up to commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b) and targets the ZIP File Handler’s server.py, specifically the requests.get usage. Flaw: manipulation of the argument zip_file_url enables server-side request forgery (SSRF). Impact is described as remot...
CVE-2026-10662
A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blendermcp/server.py of the component ZIP File Handler. The manipulation of the argument zipfileurl results in server-side request...
CVE-2026-10662 ahujasid blender-mcp ZIP File server.py requests.get server-side request forgery
A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blendermcp/server.py of the component ZIP File Handler. The manipulation of the argument zipfileurl results in server-side request...
CVE-2026-35212 OpenCTI has XSS in the rendering of email-message observable body data
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does...
CVE-2026-35212
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does...
CVE-2026-49120
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...
CVE-2026-49120
Medplum's SSRF flaw (CVE-2026-49120) affects Medplum before 5.1.14 in the subscription worker. An authenticated user can create FHIR Subscription resources with arbitrary endpoint URLs, enabling server-side requests to internal addresses (e.g., metadata services, internal databases, container orc...
CVE-2026-49120 Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...
EUVD-2026-33998
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...
CVE-2026-42073
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter...
CVE-2026-10240
A vulnerability was identified in JeecgBoot up to 3.9.2. The impacted element is an unknown function of the file /airag/airagModel/test. The manipulation of the argument baseUrl leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly...
CVE-2026-10239
A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be...
EUVD-2026-33973
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter...