2027 matches found
CVE-2026-49357
CVE-2026-49357 affects line-desktop-mcp (LINE Desktop MCP). In --http-mode, the MCP server binds to 0.0.0.0 and exposes the /mcp endpoint without MCP authentication, enabling any network client on the port to initialize a session, list tools, and call tools that read LINE Desktop chat history or ...
PT-2026-50978
Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...
CVE-2026-56076 PraisonAI - Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: headers, combined with Starlette's...
CVE-2026-49257
mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...
GHSA-VMF9-XX9W-86WX PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools Summary praisonaiagents.mcp.ToolsMCPServer.runsse builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not valida...
EUVD-2026-37872
claudiopizzillo PIAF-HMS PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5 contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters...
CVE-2026-0141
CVE-2026-0141 describes a likely out-of-bounds read in decodeAppPacket of RtcpAppPacket.cpp caused by a missing bounds check. The vulnerability enables a remote information disclosure without requiring additional execution privileges and without user interaction. Public references in the provided...
CVE-2026-42752
Unauthenticated Bypass Vulnerability in Stripe Payments = 2.0.98 versions...
PT-2026-49470
Name of the Vulnerable Software and Affected Versions MultiJuicer versions 8.0.0 through 10.0.0 Description The team join endpoint 'POST /multi-juicer/api/teams/team/join' accepts requests with any Content-Type, including text/plain. Since this content type does not trigger a Cross-Origin Resourc...
Exploit for Memory Allocation with Excessive Size Value in Apache Http_Server
CVE-2026-49975 HTTP/2 Bomb Complete Reproduction Guide Bas...
CVE-2026-53519 Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefi...
CVE-2026-42604
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...
CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...
CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...
CVE-2026-42604
The CVE concerns Actual Budget’s sync-server (local-first Personal Finance tool). Versions ≤ 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 client_secret, via POST /openid/config to callers who know the bootstrap password. The endpoint lacks authentication and rate limi...
CVE-2026-50085 Aqara Board IoT insecure debug API
The Aqara Board service op-test.aqara.com accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS...
PT-2026-48910
Name of the Vulnerable Software and Affected Versions Aqara IAM/SSO gateway affected versions not specified Description The IAM/SSO gateway at 'gw-builder.aqara.com' exposes an unauthenticated AES oracle, allowing bidirectional AES round-trips against the platform's signing key. This occurs due t...
PT-2026-48909
Name of the Vulnerable Software and Affected Versions Aqara Board service affected versions not specified Description The Aqara Board service at the endpoint "op-test.aqara.com" accepts arbitrary MQTT command payloads and forwards them to the platform's HiveMQ broker without authentication. This...
CVE-2026-5497
CVE-2026-5497 affects vLLM 0.8.0 and later, where VideoMediaIO.load_base64() can perform unbounded frame processing for video/jpeg data URLs, leading to an Out-of-Memory DoS. An attacker can craft a single API request with thousands of comma-separated base64 JPEG frames, causing the server to dec...
CVE-2026-46612
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers /v1/archive GET / POST / DELETE and /v1/archives list directly on...