Lucene search
+L

5 matches found

nvd
nvd
added yesterday5 views

CVE-2026-49988

Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, the Repomix MCP server attachpackedoutput and readrepomixoutput flow can register and read arbitrary local .json, .txt, .md, or .xml files without the filesystemreadfile runSecretLint safety check or Repomix...

6.8CVSS0.00028EPSS
Exploits0References3
euvd
euvd
added 2026/07/02 4:5 p.m.15 views

EUVD-2026-36320

OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority...

8.7CVSS5.8AI score0.00281EPSS
Exploits0References3
cve
cve
added 2026/06/11 8:8 p.m.47 views

CVE-2026-53814

OpenClaw before 2026.5.20 contains a privilege-escalation vulnerability in which a hook-triggered agent runs with owner-scoped MCP loopback authority instead of the hook-appropriate scope. Attackers with a valid hook token can use the /hooks/agent endpoint to cause spawned CLI runtimes to access ...

8.7CVSS5.5AI score0.00281EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/02/09 9:1 a.m.35 views

CVE-2026-25905 Lack of isolation in mcp-run-python leads to MCP server takeover

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

5.8CVSS0.00177EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/02/09 12:0 a.m.10 views

PT-2026-7090

Name of the Vulnerable Software and Affected Versions MCP affected versions not specified Description The Python code executed by the 'runPython' or 'runPythonAsync' functions lacks isolation from other JavaScript code. This allows Python code to utilize Pyodide APIs to alter the JavaScript...

5.8CVSS6AI score0.00177EPSS
Exploits0References12
Rows per page
Query Builder