Lucene search
K

831 matches found

Cvelist
Cvelist
added yesterday21 views

CVE-2026-15526 augmnt augments-mcp-server scan_project_deps scan-project-deps.ts scanProjectDeps path traversal

A flaw has been found in augmnt augments-mcp-server 7.1.0. This issue affects the function scanProjectDeps of the file src/tools/v4/scan-project-deps.ts of the component scanprojectdeps. Executing a manipulation of the argument packageJsonPath can lead to path traversal. The attack can only be...

4.8CVSS0.00137EPSS
Exploits0References6
CVE
CVE
added yesterday9 views

CVE-2026-15526

A vulnerability in augmnt augments-mcp-server 7.1.0 affects the function scanProjectDeps (src/tools/v4/scan-project-deps.ts) of the scan_project_deps component. The issue arises from manipulating the argument packageJsonPath, enabling path traversal. The attack is local, and a proof-of-concept/ex...

4.8CVSS5.6AI score0.00137EPSS
Exploits0References6
EUVD
EUVD
added yesterday5 views

EUVD-2026-43269

A flaw has been found in augmnt augments-mcp-server 7.1.0. This issue affects the function scanProjectDeps of the file src/tools/v4/scan-project-deps.ts of the component scanprojectdeps. Executing a manipulation of the argument packageJsonPath can lead to path traversal. The attack can only be...

4.8CVSS5.6AI score0.00137EPSS
Exploits0References6
NVD
NVD
added 4 days ago6 views

CVE-2026-61459

MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools kubectlget, kubectldescribe, kubectldelete that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can...

9.8CVSS0.00421EPSS
Exploits0References5
CVE
CVE
added 4 days ago18 views

CVE-2026-61459

Affected software: MCP Server Kubernetes before 3.9.0. Vulnerability: Argument injection in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that bypasses the assertNoDangerousFlags check by using leading dashes for resourceType/name. This allows injection of the --server flag to ...

9.8CVSS6.1AI score0.00421EPSS
Exploits0References5
NVD
NVD
added 5 days ago6 views

CVE-2026-55604

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS0.00225EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-55604

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS6AI score0.00225EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-55605 @arikusi/deepseek-mcp-server Missing Authentication on Self-Hosted HTTP MCP Endpoint

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.8.0, the self-hosted HTTP transport of @arikusi/deepseek-mcp-server exposes POST /mcp without any authentication: createMcpExpressApp is called without an authProvider and no middleware guards t...

5.3CVSS0.00429EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added last week7 views

Important: Red Hat Security Advisory: satellite/foreman-mcp-server-rhel9 container image available as a Technology Preview

A new satellite/foreman-mcp-server-rhel9 container image is now available as a Technology Preview in the Red Hat container registry. Satellite provides a container image that you can use to run an MCP server locally. The MCP server for Satellite is designed for advanced reporting and data analysi...

10CVSS5.8AI score0.01011EPSS
Exploits4References9
OSSF Malicious Packages
OSSF Malicious Packages
added last week10 views

Malicious code in mcp-server-pg (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22d68bdfced357622e33e4608bd35ded4d8988ea6dc7da073b3a83075978815d On npm install, scripts/postinstall.js unconditionally reads a range of installer-owned identity and configuration files and POSTs a JSON payload to ...

5.9AI score
Exploits0References22
OSV
OSV
added last week5 views

MAL-2026-6922 Malicious code in mcp-server-pg (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22d68bdfced357622e33e4608bd35ded4d8988ea6dc7da073b3a83075978815d On npm install, scripts/postinstall.js unconditionally reads a range of installer-owned identity and configuration files and POSTs a JSON payload to ...

6.1AI score
Exploits0References22
ATTACKERKB
ATTACKERKB
added 2026/07/05 12:15 p.m.6 views

CVE-2026-14748

A flaw has been found in AIAnytime Awesome-MCP-Server up to a884bb51bcd99e08e14fd712c749d55d9d9a13ab. Affected by this issue is some unknown functionality of the file mcp-wiki/src/mcpwiki/server.py of the component mcp-wiki/wiki-summary. This manipulation of the argument url causes server-side...

6.5CVSS6.2AI score0.00231EPSS
Exploits0References8
CVE
CVE
added 2026/07/05 12:15 p.m.15 views

CVE-2026-14748

CVE-2026-14748 affects AIAnytime Awesome-MCP-Server (mcp-wiki/wiki-summary) via server.py in mcp-wiki/wiki-summary: manipulation of the url parameter enables server-side request forgery. Impact is described as network-accessible with low to moderate confidentiality/integrity/availability effects;...

6.5CVSS6.2AI score0.00231EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/05 12:0 a.m.13 views

PT-2026-55793

Name of the Vulnerable Software and Affected Versions AIAnytime Awesome-MCP-Server versions up to a884bb51bcd99e08e14fd712c749d55d9d9a13ab Description A flaw in the mcp-wiki/wiki-summary component, specifically within the mcp-wiki/src/mcp wiki/server.py file, allows for server-side request forger...

6.5CVSS6.6AI score0.00231EPSS
Exploits0References11
CVE
CVE
added 2026/07/02 8:39 p.m.35 views

CVE-2026-52830

The CVE describes a path-traversal in fast-mcp-telegram prior to 0.19.1 where HTTP Bearer tokens are joined into a session-file path. The verifier rejects only the exact reserved token, not path separators or normalized paths, enabling a remote client to authenticate as the default legacy session...

9.4CVSS5.8AI score0.00423EPSS
Exploits0References2
Circl
Circl
added 2026/07/02 12:35 a.m.7 views

CVE-2026-50143

creationtimestamp| type| source ---|---|--- 2026-07-02 00:35:02+00:00| published-proof-of-concept| https://github.com/apify/apify-mcp-server/security/advisories/GHSA-6gr2-qh89-hxwm...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/07/01 6:41 p.m.3 views

GHSA-GVPP-V77H-5W8G Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`

Untrusted Project Bootstrap Code Execution via CLAUDEPROJECTDIR Summary The Cortex MCP server neuro-cortex-memory treats the CLAUDEPROJECTDIR environment variable — automatically set by Claude Code to the currently open project directory — as a trusted Cortex developer checkout. When the...

8.5CVSS6.6AI score
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.8 views

EUVD-2026-40414

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS5.8AI score0.00437EPSS
Exploits0References6
NVD
NVD
added 2026/06/30 10:16 p.m.9 views

CVE-2026-58446

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS0.00437EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-288 aws-mcp has a Command Injection Remote Code Execution Vulnerability

aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handlin...

9.8CVSS7.9AI score0.01908EPSS
Exploits1References5
Rows per page
Query Builder