CVE-2025-68145 mcp-server-git has missing path validation when using --repository flag

In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repopath arguments in subsequent tool calls were actually within that configured path. This could allow tool calls t...

Model Context Protocol Servers 路径遍历漏洞

Model Context Protocol Servers is a large model context protocol server from Model Context Protocol open source. A path traversal vulnerability exists in versions of Model Context Protocol Servers prior to 2025.12.17, which stems from a failure to verify that the repopath parameter in subsequent...

PT-2025-51938

Name of the Vulnerable Software and Affected Versions mcp-server-git versions prior to 2025.12.17 Description In mcp-server-git versions prior to 2025.12.17, the server did not validate that repo path arguments in subsequent tool calls were within the configured repository path when started with...

GO-2025-3982 Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher

Rancher sends sensitive information to external services through the /meta/proxy endpoint in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

EUVD-2025-28380

Malicious code in bioql PyPI...

EUVD-2022-52979

Malicious code in bioql PyPI...

EUVD-2021-27510

Malicious code in bioql PyPI...

CVE-2025-50978

In Gitblit v1.7.1, a reflected cross-site scripting XSS vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient...

PT-2025-34880 · Gitblit · Gitblit

Name of the Vulnerable Software and Affected Versions: Gitblit version 1.7.1 Description: Gitblit version 1.7.1 contains a reflected cross-site scripting XSS flaw due to insufficient input sanitization of filename elements when handling repository path names. An attacker can inject a crafted path...

CVE-2025-50978

In Gitblit v1.7.1, a reflected cross-site scripting XSS vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via improper checks of a path's existence under the .git directory. An attacker can execute arbitrary commands with the privileges of the configured account in RUNUSER. By exploiting this flaw, an...

GHSA-75PX-35P4-QQ6H Aim External Control of File Name or Path vulnerability

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the tarfile.extractall function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control repo.path and runhash to bypass directory existence checks and...

VulnCheck KEV: CVE-2024-6396

A vulnerability in the backuprun function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the runhash and repo.path parameters, which can be manipulated...

DEBIAN-CVE-2021-40330

gitconnectgit in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring...

CVE-2021-40330

gitconnectgit in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring...

CVE-2021-40330

gitconnectgit in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring...

git buffer overflow

Buffer overflow on oversized repository path...