2 matches found
Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration
Due to the combination of checking out PR head branches attacker-controlled, reading .mcp.json from the working directory via default setting sources, and unconditionally enabling all project MCP servers via enableAllProjectMcpServers, it was possible for an attacker who opened a PR containing a...
CVE-2025-13467 Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...