CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/14 8:55 p.m.•4 views

GHSA-R8J5-8747-88CM @utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Summary The @utcp/http package is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual validates the discovery URL against an HTTPS / loopback allowlist, but callTool reuses the resolved...

4.7CVSS6AI score0.00029EPSS

Exploits0References3

Snyk•added 2026/05/14 8:55 p.m.•4 views

Server-side Request Forgery (SSRF)

Overview @utcp/http is a HTTP utilities for UTCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the OpenApiConverter process. An attacker can access internal network resources and sensitive metadata endpoints by supplying a malicious OpenAPI specification...

4.7CVSS5.8AI score0.00029EPSS

Github Security Blog•added 2026/05/14 8:55 p.m.•14 views

@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

4.7CVSS6AI score0.00029EPSS

Exploits0References3Affected Software1

CVE•added 2026/05/14 8:12 p.m.•4 views

CVE-2026-44661

CVE-2026-44661 affects python-utcp (utcp-http plugin) prior to v1.1.3. The vulnerability arises because register_manual() validates discovery URLs against an HTTPS/loopback allowlist, while call_tool()/call_tool_streaming() reuse tool_call_template.url without revalidation and the OpenAPI convert...

4.7CVSS5.8AI score0.00009EPSS

Vulnrichment•added 2026/05/14 8:12 p.m.•6 views

CVE-2026-44661 python-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

4.7CVSS5.8AI score0.00009EPSS

EUVD•added 2026/05/14 8:12 p.m.•3 views

EUVD-2026-30479

4.7CVSS5.8AI score0.00009EPSS

Cvelist•added 2026/05/14 8:12 p.m.•26 views

CVE-2026-44661 python-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

4.7CVSS0.00009EPSS

Positive Technologies•added 2026/05/14 12:0 a.m.•6 views

PT-2026-41184

Name of the Vulnerable Software and Affected Versions @utcp/http versions prior to 1.1.2 Description The @utcp/http package is subject to a blind Server-Side Request Forgery SSRF, a flaw where an attacker can force the server to make requests to an unintended location. This is caused by a...

4.7CVSS5.8AI score0.00029EPSS

Exploits0References5

RedhatCVE•added 2026/05/11 8:26 p.m.•5 views

CVE-2026-42333

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security...

6.3CVSS5.7AI score0.00218EPSS

EUVD•added 2026/05/11 6:31 p.m.•7 views

EUVD-2026-29103

In Meari client applications embedding "com.meari.sdk" including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label = 1.8.x, the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side...

NVD•added 2026/05/11 5:16 p.m.•6 views

Exploits0References3

CVE-2026-33357

7.5CVSS0.00042EPSS

Cvelist•added 2026/05/11 4:2 p.m.•25 views

CVE-2026-33357 Meari OpenAPI device status IDOR

7.5CVSS0.00042EPSS

ATTACKERKB•added 2026/05/11 4:2 p.m.•3 views

CVE-2026-33357

CVE•added 2026/05/11 4:2 p.m.•6 views

Exploits0References3

CVE-2026-33357

CVE-2026-33357 affects Meari client applications that embed com.meari.sdk, including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label

Vulnrichment•added 2026/05/11 4:2 p.m.•4 views

CVE-2026-33357 Meari OpenAPI device status IDOR