20392 matches found
Server-side Request Forgery (SSRF)
Overview @dadigua/hyperchat is a HyperChat Core - Node.js backend and CLI tool with AI chat, MCP support Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the AI Proxy Middleware component when processing the baseurl argument. An attack...
EUVD-2026-25978
A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to laun...
CVE-2026-7221
CVE-2026-7221 affects TencentCloudBase CloudBase-MCP (up to v2.17.0) with a vulnerability in the openUrl function (mcp/src/interactive-server.ts) of the open-url API Endpoint. Manipulating req.body.url enables server-side request forgery (SSRF) and can be exploited remotely; the exploit is public...
PT-2026-35799
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input...
PT-2026-35827
A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get doc path of the file src/spire doc mcp/api/base.py. Performing a manipulation of the argument document name results in path traversal. The attack can be initiated remotely. The exploit is now public...
HyperChat 代码问题漏洞
HyperChat is an open-source local AI agent platform developed by dadigua. It supports configuration-driven and project-level AI expertise. Versions of HyperChat 2.0.0-alpha.63 and earlier have code vulnerabilities. These vulnerabilities stem from the baseurl parameter in the fetch function of the...
CVE-2026-7157
A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aidermcpserver/server.py of the component aideraicode. This manipulation of the argument relativeeditablefiles causes command...
CVE-2026-7021
A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The...
CVE-2026-7147
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...
CVE-2026-7147 JoeCastrom mcp-chat-studio LLM Models API llm.js server-side request forgery
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...
EUVD-2026-25906
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...
CVE-2026-7147
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...
Malicious code in @pyme-web/ui-base (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6780882125fbf59796027cea605339595d23058e19a6a2a257637f225adb51e8 The package @pyme-web/ui-base was found to contain malicious code. Source: ghsa-malware...
EUVD-2026-25873
A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elngboxread of the file src/isomedia/boxcodebase.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack...
CVE-2026-7135 GPAC MP4Box box_code_base.c elng_box_read out-of-bounds
A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elngboxread of the file src/isomedia/boxcodebase.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack...
PT-2026-35512
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base url results in server-side request forgery. Remot...
CVE-2026-7021 SmythOS sre Connector Service utils.ts information disclosure
A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The...
PT-2026-35202
A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The...
Malicious code in tether-base (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3a15feaa501454125206345e0e802667759555738db7b1a1ee9ad5dc6b0098a The package tether-base was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3033 Malicious code in tether-base (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3a15feaa501454125206345e0e802667759555738db7b1a1ee9ad5dc6b0098a The package tether-base was found to contain malicious code. Source: ossf-package-analysis...