Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict in the JSON-RPC and MCP protocol message parsing. An attacker can bypass intermediary inspection or cause cross-implementation inconsistencies by sending protocol messages with non-standard field casing or Unicod...

CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc...

Open Redirect

Overview googlesignin is a Sign in or up with Google for Rails applications Affected versions of this package are vulnerable to Open Redirect via the proceedto value in the session store when it is set to a protocol-relative URL. An attacker can redirect users to an unintended origin by submittin...

WordPress Taxi Booking Manager for WooCommerce plugin <= 1.3.0 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Denver Jackson in WordPress Plugin Taxi Booking Manager for WooCommerce versions = 1.3.0...

Origin Validation Error

Overview @elysiajs/cors is a Plugin for Elysia that for Cross Origin Requests CORs Affected versions of this package are vulnerable to Origin Validation Error via improper validation in the processOrigin function. An attacker can gain unauthorized access to user data by supplying a malicious orig...

CVE-2025-3857

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition tha...

Missing Authorization

Overview chainlit is a Build Conversational AI. Affected versions of this package are vulnerable to Missing Authorization due to improper user verification in the getfile endpoint. This flaw allows unauthorized users to access and retrieve session files by guessing or obtaining valid sessionids,...

DEBIAN-CVE-2024-42358

PDFio is a simple C library for reading and writing PDF files. There is a denial of service DOS vulnerability in the TTF parser. Maliciously crafted TTF files can cause the program to utilize 100% of the Memory and enter an infinite loop. This can also lead to a heap-buffer-overflow vulnerability...

CVE-2024-28253 SpEL Injection in `PUT /api/v1/policies` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression is also called from PolicyRepository.prepare. prepare is called from...

PT-2023-27517 · Openfga · Openfga

Name of the Vulnerable Software and Affected Versions: OpenFGA versions 1.3.0 and earlier Description: The issue affects OpenFGA, an authorization/permission engine, where some end users of versions 1.3.0 or earlier are vulnerable to authorization bypass when calling the "ListObjects" API endpoin...

PT-2023-10632 · Unknown · Vocable Trainer

Name of the Vulnerable Software and Affected Versions: hgzojer Vocable Trainer versions up to 1.3.0 Description: A critical vulnerability was found in the hgzojer Vocable Trainer, affecting unknown code of the file VocableTrainerProvider.java. The manipulation leads to path traversal, and attacki...

PT-2023-1346 · Apache +1 · Apache Linkis +1

Name of the Vulnerable Software and Affected Versions: Apache Linkis versions prior to 1.3.1 Description: The issue is related to insufficient protection of service data when handling the allowLoadLocalInfile parameter with a value of true in the MySQL Connector/J component of Apache Linkis. This...

PT-2023-10123 · Piwigo · Piwigo-Guest-Book

Name of the Vulnerable Software and Affected Versions: Piwigo-Guest-Book versions up to 1.3.0 Description: A critical issue affects the Navigation Bar component, specifically the include/guestbook.inc.php file. The manipulation of the start argument leads to sql injection. Recommendations: For...

PT-2023-11810 · Bonitasoft · Bonita-Connector-Webservice

Name of the Vulnerable Software and Affected Versions: bonitasoft bonita-connector-webservice versions up to 1.3.0 Description: A problematic issue was found in the software, affecting the TransformerConfigurationException function of the file...

PT-2022-6257 · Apache +1 · Apache Linkis +1

Name of the Vulnerable Software and Affected Versions: Apache Linkis versions 1.3.0 and earlier Description: A deserialization vulnerability exists in Apache Linkis when used with the MySQL Connector/J, allowing for possible remote code execution impact. This occurs when an attacker has write...

PT-2022-17497 · Open62541 · Open62541

Name of the Vulnerable Software and Affected Versions: open62541/open62541 versions 1.2.0 through 1.2.4 open62541/open62541 versions 1.3-rc1 through 1.3.0 Description: The issue is related to a Denial of Service DoS due to a missing limitation on the number of received chunks per single session o...

PT-2022-17563 · Unknown · Go-Codec-Dagpb

Name of the Vulnerable Software and Affected Versions: go-codec-dagpb versions prior to 1.3.1 Description: The dag-pb codec can panic when decoding invalid blocks, due to an assumption that the reported link length is accurate. If the block ends before the reported length, it results in a buffer...