Lucene search
K

35 matches found

NVD
NVD
added 2026/07/01 4:16 p.m.17 views

CVE-2026-57517

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...

9.8CVSS0.00587EPSS
Exploits2References4
NVD
NVD
added 2026/06/25 5:16 p.m.8 views

CVE-2026-54030

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...

9.3CVSS0.00113EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/25 3:48 p.m.33 views

CVE-2026-54030 LibreChat: Missing Resource Parameter Validation in MCP OAuth Flow

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...

8CVSS0.00113EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:48 p.m.6 views

CVE-2026-54030

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...

8CVSS5.9AI score0.00113EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/25 3:48 p.m.17 views

CVE-2026-54030

CVE-2026-54030 affects LibreChat (MCP OAuth flow). Before v0.8.5, the OAuth Protected Resource metadata’s resource parameter is not validated against the MCP server URL, enabling a malicious MCP server to steal access tokens intended for a legitimate server. Affected version range includes pre-0....

9.3CVSS5.9AI score0.00113EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/06/25 3:48 p.m.4 views

CVE-2026-54030 LibreChat: Missing Resource Parameter Validation in MCP OAuth Flow

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...

8CVSS6AI score0.00113EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.24 views

PT-2026-52494

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.5 Description LibreChat is an enhanced ChatGPT clone supporting multiple AI providers. The MCP OAuth implementation fails to validate that the resource parameter from OAuth Protected Resource metadata RFC 9728...

9.3CVSS5.8AI score0.00113EPSS
Exploits1References5
Snyk
Snyk
added 2026/05/20 9:45 p.m.15 views

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal via the resource parameter in the ssx and jsx endpoints when a leading slash is used. An attacker can access sensitive configuration files by crafting a URL that traverses directories. Note: This issue is due to...

9.8CVSS5.8AI score0.19538EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.18 views

PT-2026-42215

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 18.1.0-rc-1 XWiki Platform versions prior to 17.10.3 XWiki Platform versions prior to 17.4.9 XWiki Platform versions prior to 16.10.17 Description Path Traversal allows unauthorized access to read configuration...

9.3CVSS5.8AI score0.19538EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/03/17 1:28 p.m.3 views

CVE-2025-69196

A flaw was found in FastMCP, a framework for building MCP applications. The server does not correctly process the resource parameter provided by the client during authorization and token requests. This can lead to security tokens being issued for an unintended base URL Uniform Resource Locator...

7.4CVSS5.7AI score0.00358EPSS
Exploits1References4
NVD
NVD
added 2026/03/16 7:16 p.m.5 views

CVE-2025-69196

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for...

7.4CVSS0.00358EPSS
Exploits1References5
OSV
OSV
added 2026/03/16 6:7 p.m.9 views

CVE-2025-69196 FastMCP OAuth Proxy token reuse across MCP servers

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for...

7.4CVSS5.7AI score0.00358EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/03/16 3:14 p.m.8 views

FastMCP OAuth Proxy token reuse across MCP servers

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the baseurl passed to...

7.4CVSS5.8AI score0.00358EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.4 views

PT-2026-25775

Name of the Vulnerable Software and Affected Versions FastMCP versions prior to 2.14.2 Description FastMCP, a framework for building MCP applications, does not properly validate the resource parameter submitted by the client during authorization and token requests. Instead of issuing tokens...

7.4CVSS5.4AI score0.00358EPSS
Exploits1References13
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.5 views

CVE-2025-15055

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.2CVSS5.2AI score0.00247EPSS
Exploits0References1
NVD
NVD
added 2026/01/09 7:16 a.m.11 views

CVE-2025-15055

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.2CVSS0.00247EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/09 6:34 a.m.3 views

CVE-2025-15055 SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.2CVSS4.9AI score0.00247EPSS
Exploits0References2
CVE
CVE
added 2026/01/09 6:34 a.m.20 views

CVE-2025-15055

CVE-2025-15055 : WordPress SlimStat Analytics plugin is vulnerable to unauthenticated Stored Cross-Site Scripting via the notes and resource parameters in versions up to 5.3.4. The flaw arises from insufficient input sanitization and output escaping, enabling an attacker to inject script that exe...

7.2CVSS4.9AI score0.00247EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/01/09 12:0 a.m.9 views

PT-2026-1766

Name of the Vulnerable Software and Affected Versions SlimStat Analytics plugin for WordPress versions prior to 5.3.5 Description The SlimStat Analytics plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping in the...

7.2CVSS6.1AI score0.00247EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/19 12:0 a.m.5 views

PT-2025-52436

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes...

6.1CVSS5.2AI score0.00377EPSS
Exploits0References5
Rows per page
Query Builder