14167 matches found
CVE-2026-33946
The CVE affects the MCP Ruby SDK prior to 0.9.2. In streamable_http_transport.rb, an attacker with a valid session ID can hijack the victim’s SSE stream and intercept real-time data, due to insufficient session binding. Version 0.9.2 patches this. No additional exploit details are provided beyond...
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...
Ruby LSP has arbitrary code execution through branch setting
Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...
GHSA-C4R5-FXQW-VH93 Ruby LSP has arbitrary code execution through branch setting
Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via unsanitized interpolation of the branch setting in the Gemfile generation process. An attacker can execute arbitrary Ruby code by crafting a malicious .vscode/settings.json or equivalent workspace...
MAL-2026-2265 Malicious code in monolith-twirp-codingagentintegrations-codingagentintegrations (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 24ecd94ab40a4a1b574b48137b92d60ad65d610301ee07661c928706bd54c81b The OpenSSF Package Analysis project identified 'monolith-twirp-codingagentintegrations-codingagentintegrations' @ 1.0.2 rubygems as malicious. ...
Malicious code in monolith-twirp-codingagentintegrations-codingagentintegrations (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 24ecd94ab40a4a1b574b48137b92d60ad65d610301ee07661c928706bd54c81b The OpenSSF Package Analysis project identified 'monolith-twirp-codingagentintegrations-codingagentintegrations' @ 1.0.2 rubygems as malicious. ...
Malicious code in monolith-twirp-copilot-registry (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d1eb9592b2f976d7d487d44c8f45592b2953e5f51edfeee7242e020dfb64176f The OpenSSF Package Analysis project identified 'monolith-twirp-copilot-registry' @ 1.0.6 rubygems as malicious. It is considered malicious...
MAL-2026-2266 Malicious code in monolith-twirp-copilot-registry (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d1eb9592b2f976d7d487d44c8f45592b2953e5f51edfeee7242e020dfb64176f The OpenSSF Package Analysis project identified 'monolith-twirp-copilot-registry' @ 1.0.6 rubygems as malicious. It is considered malicious...
Malicious code in monolith-twirp-partitioning-pull_requests (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 4214957e3e8849b6df7eb3bbd1b2c6e547fe8aa2c590a8a3a644e7d6ea8d73ed The OpenSSF Package Analysis project identified 'monolith-twirp-partitioning-pullrequests' @ 1.0.2 rubygems as malicious. It is considered...
MAL-2026-2267 Malicious code in monolith-twirp-partitioning-pull_requests (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 4214957e3e8849b6df7eb3bbd1b2c6e547fe8aa2c590a8a3a644e7d6ea8d73ed The OpenSSF Package Analysis project identified 'monolith-twirp-partitioning-pullrequests' @ 1.0.2 rubygems as malicious. It is considered...
MAL-2026-2262 Malicious code in monolith-twirp-pullsd-teams (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b0a21f2e863ad85bc56da074019b5369ed68dc7280d0c81ff65dd8425308c7f6 The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-teams' @ 1.1.1 rubygems as malicious. It is considered malicious because:...
Malicious code in monolith-twirp-loops-core (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 8d4a98f58930eb7f736a5c69a6cf5de5b6dd033785255d4d55ae1da5a5866629 The OpenSSF Package Analysis project identified 'monolith-twirp-loops-core' @ 1.0.2 rubygems as malicious. It is considered malicious because: -...
MAL-2026-2261 Malicious code in monolith-twirp-pullsd-repositories (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 1c34eecc811d04d6583504ad631024a727df5e2107a1025a2786bf8a56a59d3a The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-repositories' @ 1.0.10 rubygems as malicious. It is considered malicious...
Malicious code in monolith-twirp-pullsd-repositories (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 1c34eecc811d04d6583504ad631024a727df5e2107a1025a2786bf8a56a59d3a The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-repositories' @ 1.0.10 rubygems as malicious. It is considered malicious...
MAL-2026-2260 Malicious code in monolith-twirp-pullsd-pullrequestinfo (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis a6f4e556f55b516ccdd02700729877fa73287ece3920dfc7288d673ed337d5e6 The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-pullrequestinfo' @ 1.0.1 rubygems as malicious. It is considered maliciou...
Malicious code in monolith-twirp-pullsd-pullrequestinfo (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis a6f4e556f55b516ccdd02700729877fa73287ece3920dfc7288d673ed337d5e6 The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-pullrequestinfo' @ 1.0.1 rubygems as malicious. It is considered maliciou...
MAL-2026-2264 Malicious code in monolith-twirp-scribe-scribe (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b03619db6c705a6825d54849e5322d125ae380dbb1f7e404b46718868185faeb The OpenSSF Package Analysis project identified 'monolith-twirp-scribe-scribe' @ 1.0.6 rubygems as malicious. It is considered malicious because...