PT-2026-6350

Summary Cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. Impact Who is affected: Any MCP server deployment using the TypeScript SDK where a sing...

jsonwebtoken 安全漏洞

jsonwebtoken is an implementation of a JSON Web Token developed by Auth0 as open source. Versions of jsonwebtoken prior to 10.3.0 contained a security vulnerability. This vulnerability stemmed from a declaration verification logic that had type confusion issues, which could lead to bypassing...

NVIDIA Triton Inference Server EVBufferToJson Uncaught Exception Denial-of-Service Vulnerability

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of NVIDIA Triton Inference Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the EVBufferToJson method. The issue results from the lack ...

Devtron 安全漏洞

Devtron is an open-source Kubernetes cloud-native tool integration platform developed by Devtron. Versions of Devtron 2.0.0 and earlier contained security vulnerabilities. These vulnerabilities were caused by improper access control in the Attributes API interface, which could lead to the...

PT-2026-6657

Name of the Vulnerable Software and Affected Versions EPyT-Flow versions prior to 0.16.1 Description EPyT-Flow is a Python package used for generating hydraulic and water quality scenario data for water distribution networks. The REST API parses attacker-controlled JSON request bodies using a...

PT-2026-6317

Name of the Vulnerable Software and Affected Versions Devtron versions prior to 2.0.0 Description Devtron is a tool integration platform for Kubernetes. A flaw exists in the Attributes API interface that allows authenticated users to obtain the global API Token signing key by accessing the...

GHSA-H395-GR6Q-CPJC jsonwebtoken has Type Confusion that leads to potential authorization bypass

Summary: It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s internal parsing mechanism...

Use of Hard-coded Credentials

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the jwt-helper.js when verifying JWT tokens. An attacker can gain unauthorized administrative access by forging valid tokens...

CVE-2025-69971

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

PT-2026-6431

Summary: It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s internal parsing mechanism...

EUVD-2025-206717

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

PT-2026-6510

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet...

VulnCheck KEV: CVE-2024-12877

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to...

CVE-2025-69971

FUXA v1.2.7 contains a hard-coded secret in server/api/jwt-helper.js used to sign and verify JWTs, enabling remote attackers to forge admin tokens and bypass authentication to gain full administrative access. This is documented by multiple sources (NVD entry and the Nuclei template) and indicates...

Huawei EulerOS: Security Advisory for haproxy (EulerOS-SA-2026-1211)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2026-6298

Name of the Vulnerable Software and Affected Versions Bambuddy versions prior to 0.1.7 Description Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Versions before 0.1.7 include a hardcoded secret key used for signing JSON Web Tokens JWTs. Multiple API rout...

EulerOS 2.0 SP13 : haproxy (EulerOS-SA-2026-1223)

According to the versions of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON...

zmscan

Vulnerability Scanner A security vulnerability detection tool...

EulerOS Virtualization 2.10.1 : yajl (EulerOS-SA-2026-1152)

According to the versions of the yajl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes wi...

CVE-2025-36366

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow a user to cause a denial of service by executing a query that invokes the JSONObject scalar function, which may trigger an unhandled exception leading to abnormal server termination...