Lucene search
K

201 matches found

Veracode
Veracode
added 2026/04/15 2:33 p.m.9 views

Injection

@nestjs/core is vulnerable to Injection. The vulnerability is due to unsanitized interpolation of user-controlled fields into Server-Sent Events output, which allows an attacker to inject arbitrary events, spoof event types, and manipulate the event stream...

6.3CVSS5.9AI score0.00234EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/14 12:3 a.m.5 views

GHSA-J98M-W3XP-9F56 excel-mcp-server has a Path Traversal issue

Summary A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on...

9.4CVSS6AI score0.00391EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.5 views

PT-2026-33225

Name of the Vulnerable Software and Affected Versions excel-mcp-server versions prior to 0.1.8 Description A path traversal issue exists in excel-mcp-server when operating in SSE or Streamable-HTTP transport modes. An unauthenticated network attacker can read, write, and overwrite arbitrary files...

9.4CVSS6AI score0.00391EPSS
Exploits0References13
CVE
CVE
added 2026/04/08 8:44 p.m.25 views

CVE-2026-39889

PraisonAI's A2U event stream server exposes all agent activity without authentication prior to version 4.5.115. The create_a2u_routes() function registers endpoints /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health with no auth checks, enabling unauthenti...

7.5CVSS5.9AI score0.00425EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/08 7:21 p.m.4 views

EUVD-2026-20636

PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server...

7.5CVSS5.9AI score0.00425EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 7:21 p.m.7 views

PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server

The A2U Agent-to-User event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952. The createa2uroutes function registers the following endpoints with NO authentication checks: - GET /a2u/info —...

7.5CVSS6AI score0.00425EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/08 5:6 p.m.4 views

CVE-2026-35515

A flaw was found in Nest, a framework for building Node.js server-side applications. An attacker can exploit a vulnerability in the SseStream.transform function by injecting newline characters into message.type and message.id fields. This allows the attacker to inject arbitrary Server-Sent Events...

6.5CVSS5.9AI score0.00234EPSS
Exploits0References4
NVD
NVD
added 2026/04/07 4:16 p.m.4 views

CVE-2026-35515

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

6.3CVSS0.00234EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/07 3:6 p.m.15 views

CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

6.3CVSS0.00234EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/07 3:6 p.m.2 views

CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

6.3CVSS6AI score0.00234EPSS
Exploits0References1
CVE
CVE
added 2026/04/07 3:6 p.m.75 views

CVE-2026-35515

NestJS/core (@nestjs/core) contains a vulnerability in SseStream._transform() where un sanitized interpolation of upstream data into SSE output allows an attacker to inject arbitrary SSE events, spoof event types, and corrupt reconnection state. The issue arises from inserting message.type and me...

6.3CVSS6AI score0.00234EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.8 views

nest 注入漏洞

Nest is a Node.js framework developed by NestJS, aimed at building efficient, scalable, and enterprise-level server-side applications using TypeScript/JavaScript. Prior to version 11.1.18, Nest had an injection vulnerability. This vulnerability stemmed from the SseStream.transform function, which...

6.3CVSS5.9AI score0.00234EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/06 5:59 p.m.18 views

@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...

6.3CVSS6.1AI score0.00234EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/04/06 5:59 p.m.5 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview @nestjs/core is a Nest - modern, fast, powerful node.js web framework @core Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the SseStream.transform function. An attacker can inject...

6.5CVSS6AI score0.00234EPSS
Exploits0References2
OSV
OSV
added 2026/04/06 5:59 p.m.3 views

GHSA-36XV-JGW5-4Q75 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...

6.3CVSS6.1AI score0.00234EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.4 views

PT-2026-30760

Name of the Vulnerable Software and Affected Versions Nest versions prior to 11.1.18 Description The SseStream. transform function interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters r, . Because the SSE protocol use...

6.3CVSS6.1AI score0.00234EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.5 views

PT-2026-29672

Name of the Vulnerable Software and Affected Versions Go MCP SDK versions prior to 1.4.0 Description The Go MCP SDK, utilizing Go's standard encoding/json, did not enable DNS rebinding protection by default for HTTP-based servers prior to version 1.4.0. When an HTTP-based MCP server was run on...

9.8CVSS5.9AI score0.00455EPSS
Exploits0References38
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/31 4:56 p.m.12 views

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22731 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...

9.1CVSS5.8AI score0.0122EPSS
Exploits3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/31 4:55 p.m.9 views

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22733 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...

9.1CVSS5.8AI score0.0122EPSS
Exploits3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/31 4:54 p.m.6 views

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2026-22733 DESCRIPTION: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires...

9.1CVSS5.8AI score0.0122EPSS
Exploits3Affected Software1
Rows per page
Query Builder