CVE-2026-44425

CVE-2026-44425 affects ShellHub, a centralized SSH gateway. The device list endpoint accepts user-controlled identifiers in the filter name and in the sort_by parameter, passes them as BSON/SQL keys without validation, enabling authenticated users to craft payloads that trigger aggregation/query ...

Server-Side Request Forgery (SSRF)

hackmd-mcp is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of user-supplied hackmdApiUrl values via the Hackmd-Api-Url HTTP header or a base64-encoded JSON query parameter, which allows an attacker to redirect outbound API requests to internal...

CVE-2025-59155

hackmd-mcp is a Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. From 1.4.0 to before 1.5.0, hackmd-mcp contains a server-side request forgery SSRF vulnerability when the server is run in HTTP transport mode. Arbitrary hackmdApiUrl values supplied vi...

CVE-2025-59155

The HackMD MCP server (hackmd-mcp) is affected by a Server-Side Request Forgery (SSRF) in HTTP transport mode from version 1.4.0 up to 1.5.0. The vulnerability stems from inadequate validation of arbitrary hackmdApiUrl values supplied via the Hackmd-Api-Url HTTP header or a base64-encoded JSON qu...

CVE-2025-59155 hackmd-mcp server-side request forgery in HTTP transport mode

hackmd-mcp is a Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. From 1.4.0 to before 1.5.0, hackmd-mcp contains a server-side request forgery SSRF vulnerability when the server is run in HTTP transport mode. Arbitrary hackmdApiUrl values supplied vi...