Malicious code in cdp-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed The package ships cdpinject.js, which combines childprocess, fs, http/https, and base64 encoding to gather system information and exfiltrate it over...

CVE-2026-31234

Horovod thru 0.28.1 contains an insecure deserialization vulnerability CWE-502 in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT...

FreeBSD : www/nginx -- Remote Code Execution/DoS (3414ac89-4f9f-11f1-a1c0-0050569f0b83)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 3414ac89-4f9f-11f1-a1c0-0050569f0b83 advisory. nginx development team reports: When using the proxysetbody directive, an attacker might injec...

Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-33814)

The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-33814 advisory. - When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing...

Security update for go1.25

This update for go1.25 fixes the following issues Security issues: CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. CVE-2026-39817: cmd/go: "go tool pack" does not...

EUVD-2026-30488

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...

CVE-2026-44430 MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...

CVE-2026-44430

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...

GHSA-R8J5-8747-88CM @utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Summary The @utcp/http package is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual validates the discovery URL against an HTTPS / loopback allowlist, but callTool reuses the resolved...

Server-side Request Forgery (SSRF)

Overview @utcp/http is a HTTP utilities for UTCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the OpenApiConverter process. An attacker can access internal network resources and sensitive metadata endpoints by supplying a malicious OpenAPI specification...

NPM: DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool

NPM: DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetchurl Tool vulnerability discovered by ? in WordPress Npm deepseek-tui versions 0.8.22...

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization via the bypassfilter parameter in the HTTP query string, which is unintentionally exposed in the route handler. An attacker can gain unauthorized access to restricted models by appendin...

CLSA-2026-1778768341 python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

CLSA-2026-1778789558 httpd: Fix of CVE-2022-36760

CVE-2022-36760: modproxyajp: fix possible request smuggling via invalid Transfer-Encoding...

CVE-2026-44661

CVE-2026-44661 affects python-utcp (utcp-http plugin) prior to v1.1.3. The vulnerability arises because register_manual() validates discovery URLs against an HTTPS/loopback allowlist, while call_tool()/call_tool_streaming() reuse tool_call_template.url without revalidation and the OpenAPI convert...

Malicious code in rimraf-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a59d88d733415216903578b3c3806d76405a23a7cca56ee355eb6725e4e930d4 [email protected] impersonates the widely-installed rimraf package index.js is a dummy stub that internally identifies itself as 'lodash-js — Just a...

python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

CLSA-2026-1778786567 curl: Fix of 2 CVEs

CVE-2018-1000120: fix buffer overflow exists in the FTP URL handling - CVE-2018-1000007: fix leak authentication data to third parties in HTTP requests...

MAL-2026-3747 Malicious code in @aiscene/aiserver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 542fdb1c23b52adda0ed5164b65c9768aef7a5edd45473f9cd3ceab3065b1bb3 When the installed aiserver tool is started via its bin, npm start, or loading dist/index.js, it registers the host with a hardcoded remote controlle...

CVE-2026-44516

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers...