Copyparty <=1.18.6 - Cross-Site Scripting

Copyparty before 1.18.7 is vulnerable to reflected cross-site scripting XSS via the 'filter' parameter in the '/?ru' endpoint. Unsanitized user input is reflected in the HTML response, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser. id: CVE-2025-54589...

MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...

CamoFox MCP: Unauthenticated HTTP MCP browser-control surface

Unauthenticated HTTP MCP browser-control surface in camofox-mcp Summary camofox-mcp exposed a Streamable HTTP MCP endpoint at /mcp with rate limiting but no inbound MCP-layer authentication. When HTTP mode was enabled, any client that could reach /mcp could list and invoke browser-control tools. ...

MAL-2026-3696 Malicious code in projz-py (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 196ea7ee7277857a29c8478e6908961bde9f28aa136c3e6ae68412ba4b67bff0 The package routes authentication-related calls through a hardcoded third-party HTTP endpoint and then unpickles the server's raw response, which is ...

GHSA-R4W4-WV68-QV85 Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

Impact Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support @NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could...

PT-2026-38403

Impact Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support @NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could...

GHSA-FJ4G-2P96-Q6M3 Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls

Security Advisory: Missing Authentication for Critical Function in Jovancoding/Network-AI | Field | Value | |---|---| | Project | Jovancoding/Network-AI | | Repository | https://github.com/Jovancoding/Network-AI | | Affected commit | c344f2053eb0d49395988f803bf92f2a86b2a0d0 | | Affected tested...

Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint

Summary The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the...

CVE-2026-6126

A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been made...

CVE-2026-6126

CVE-2026-6126 affects zhayujie chatgpt-on-wechat CowAgent 2.0.4. The weakness resides in an unknown function of the Administrative HTTP Endpoint, leading to missing authentication. It can be triggered remotely, and the exploit has been made public. Multiple sources note that the project was alert...

CVE-2026-35657

OpenClaw is affected by an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history endpoint, present in versions before 2026.3.25. The issue allows access to session history without proper operator.read permissions by bypassing scope validation. Attackers can exploit this via...

EUVD-2026-20831

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyzeapispec/generatetestscenarios/testhttpendpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. T...

CVE-2026-24158

NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service...

CVE-2026-24158

NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. A successful exploit of this vulnerability may lead to denial of service...

EUVD-2026-12488

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local2c causes stack-based buffer overflow. The attack can be initiated remotel...

CVE-2026-4254

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local2c causes stack-based buffer overflow. The attack can be initiated remotel...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: clickhouse (UTSA-2026-005268)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005268 advisory. An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint usually listening on port 8123 by defaul...

EUVD-2026-3609

Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script...

CVE-2026-23744 REC in MCPJam inspector due to HTTP Endpoint exposes

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution RCE vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam...

CVE-2026-23744

CVE-2026-23744 affects MCPJam Inspector up to version 1.4.2. The Nuclei template and related sources describe a remote code execution (RCE) vulnerability exploitable via the /api/mcp/connect endpoint. The flaw arises from passing user-controlled input to shell execution, and the service is expose...