MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...

CLEANSTART-2026-VZ08395 Security fixes for CVE-2026-24051, CVE-2026-27139, CVE-2026-27141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-39883, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 3.6.0-r3, 3.6.0-r4

Multiple security vulnerabilities affect the fluent-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

Astra Linux - уязвимость в wireshark

A crash in the Sysdig Event dissector in Wireshark versions 3.6.0, 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

Astra Linux - уязвимость в wireshark

An infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

Astra Linux - уязвимость в wireshark

A memory leak in the BT SDP dissector in Wireshark versions 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows for denial of service through packet injection or malicious capture files...

Astra Linux - уязвимость в wireshark

The GDSDB infinite loop in Wireshark versions 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows for denial of service through packet injection or malicious capture files...

Astra Linux - уязвимость в wireshark

A memory leak occurs in the NFS dissector in Wireshark versions 4.0.0 to 4.0.2, and 3.6.0 to 3.6.10. This issue may lead to denial of service through packet injection or with specially crafted capture files...

CVE-2026-5781

An authorization vulnerability in MphRx’s Minerva v3.6.0 affects the /minerva/moUser/update endpoint. An authenticated user with user-modification privileges can escalate to administrator by sending an HTTP request with a manipulated 'identifier' field. The CVSS metrics indicate high impact and p...

CVE-2026-5781

An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitati...

MphRx Minerva 访问控制错误漏洞

MphRx Minerva is a medical data integration and interoperability platform developed by MphRx Corporation. Version MphRx Minerva V3.6.0 contains a security vulnerability related to access control. This vulnerability stems from an insecure direct object reference in the /minerva/moUser/show endpoin...

PT-2026-35716

Name of the Vulnerable Software and Affected Versions Minerva version 3.6.0 Description An authorization issue in the '/minerva/moUser/update' endpoint allows an authenticated user with user modification privileges to escalate their privileges to administrator. This is achieved by sending an HTTP...

GHSA-J452-XHG8-QG39 Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution...

protocol-buffers-schema 安全漏洞

protocol-buffers-schema is a Protocol Buffers pattern parser written in JavaScript by Mathias Buus. Version 3.6.0 of protocol-buffers-schema contains a security vulnerability, which stems from JavaScript prototype pollution. This vulnerability could allow attackers to alter application logic,...

PT-2026-33111

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution...

EUVD-2026-20234

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through = 3.6.0...

CVE-2026-39604

CVE-2026-39604 concerns a Stored Cross-Site Scripting (XSS) flaw in the WordPress MyBookTable Bookstore plugin, affecting versions up to and including 3.6.0. The root cause is improper neutralization of input during web page generation. Descriptions across NVD, Red Hat, EUVD, CVE List, and other ...

CVE-2026-39604 WordPress MyBookTable Bookstore plugin <= 3.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through = 3.6.0...

WordPress plugin MyBookTable Bookstore 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-34605

SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5...

CVE-2026-34605 SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )

SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5...