Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 commit c12686e181f231cf8d7bcf836a96d78f0f0877ac | Summary The MCP SSE server defaults to an empty secret...

AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

Summary The getRealIpAddr function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Vulnerable Code File:...

PT-2025-48747

Name of the Vulnerable Software and Affected Versions mcp versions prior to 1.23.0 Description The mcp Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. If an HTTP-based MCP server is running on localhost without authentication, using FastMCP with streamable...

PT-2024-28732 · Npm · @Jmondi/Url-To-Png

Name of the Vulnerable Software and Affected Versions: @jmondi/url-to-png versions prior to 2.1.1 Description: The issue concerns the ALLOW LIST in the @jmondi/url-to-png package, which permits capturing screenshots of web services running on localhost, 127.0.0.1, or the :: by default. If hosted ...

AZL-40466 CVE-2024-34069 affecting package python-werkzeug for versions less than 2.3.7-2

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, an...

PT-2024-19989 · Unknown · Micronaut Framework

Name of the Vulnerable Software and Affected Versions: Micronaut Framework versions prior to 3.8.3 Description: The issue concerns enabled but unsecured management endpoints in the Micronaut Framework, which are susceptible to drive-by localhost attacks. A malicious or compromised website can mak...

PT-2022-13422 · Unknown · Calibre-Web

Name of the Vulnerable Software and Affected Versions: calibre-web versions prior to 0.6.17 Description: The issue is related to Server-Side Request Forgery SSRF in the GitHub repository janeczku/calibre-web. This is due to an incomplete fix, which results in the blacklist not checking for 0.0.0....