CVE-2026-11529 designcomputer mysql-mcp-server mysql URI server.py read_resource sql injection

A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function readresource of the file src/mysqlmcpserver/server.py of the component mysql URI Handler. This manipulation of the argument uristr causes sql injection. Remote exploitation of the...

Incorrect Authorization

Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Incorrect Authorization through the api-tokens endpoint, which allows an authenticated user with editor privileges or higher to generate API tokens for any user by specifying...

CVE-2026-3739

A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the function ThreadAccessSerializer of the file src/backend/core/api/serializers.py of the component ThreadAccess. The manipulation results in improper authentication. The attack can be executed remotely. The...

CVE-2026-3739

The CVE-2026-3739 vulnerability affects suitenumerique messages 0.2.0, specifically the ThreadAccessSerializer in src/backend/core/api/serializers.py (ThreadAccess component). The issue is a manipulation that leads to improper authentication, enabling remote exploitation. An exploit is publicly r...

CVE-2026-3739 suitenumerique messages ThreadAccess serializers.py ThreadAccessSerializer improper authentication

A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the function ThreadAccessSerializer of the file src/backend/core/api/serializers.py of the component ThreadAccess. The manipulation results in improper authentication. The attack can be executed remotely. The...

CVE-2026-3739

A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the function ThreadAccessSerializer of the file src/backend/core/api/serializers.py of the component ThreadAccess. The manipulation results in improper authentication. The attack can be executed remotely. The...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webfetch process. An attacker can access internal resources and sensitive data by exploiting DNS rebinding to bypass URL validation and force the application to connect to private IP addresses...

CVE-2025-58172

drawnix is an all in one open-source whiteboard tool. In drawnix versions through 0.2.1, a cross-site scripting XSS vulnerability exists in the debug logging functionality. User controlled content is inserted directly into the DOM via innerHTML without sanitization when the global function...

Access Control Bypass

Overview browser-use is a Make websites accessible for AI agents Affected versions of this package are vulnerable to Access Control Bypass via the searchgoogle and gotourl functions, which fail to enforce domain restrictions by using direct page.goto calls instead of the validated...

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the ResourceGraphDefinition resources. An attacker can execute arbitrary code on cluster nodes by supplying attacker-controlled images. This is only exploitable if the user has...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:pdfmake is a Client/server side PDF printing in pure JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become...

CVE-2025-1953

A vulnerability has been found in vLLM AIBrix 0.2.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file pkg/plugins/gateway/prefixcacheindexer/hash.go of the component Prefix Caching. The manipulation leads to insufficiently random values. The...

CVE-2025-1953 vLLM AIBrix Prefix Caching hash.go random values

A vulnerability has been found in vLLM AIBrix 0.2.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file pkg/plugins/gateway/prefixcacheindexer/hash.go of the component Prefix Caching. The manipulation leads to insufficiently random values. The...

XML External Entity (XXE) Injection

Overview svgoptimizer is a SVG optimization based on Node's SVGO Affected versions of this package are vulnerable to XML External Entity XXE Injection when optimizing untrusted SVG content. An attacker can escalate privileges by exploiting the external XML entity XXE vulnerability. This is only...

PT-2021-23104 · Vyper · Vyper

Name of the Vulnerable Software and Affected Versions: Vyper versions prior to 0.3.0 Description: The issue occurs when performing a function call inside a literal struct, resulting in a memory corruption problem due to an incorrect pointer to the top of the stack. Recommendations: For versions...