CVE-2026-32871

CVE-2026-32871 affects FastMCP’s OpenAPIProvider in the FastMCP package (prior to 3.2.0). The root cause is that the _build_url() function substitutes path parameters directly into the URL without URL-encoding, and then urllib.parse.urljoin() interprets any embedded “../” as a directory traversal...

CVE-2026-32871 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerabilit...

FastMCP 安全漏洞

FastMCP is a MCP server building software developed by Jeremiah Lowin. Versions of FastMCP prior to 3.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of URL encoding for path parameters, which could lead to credential-stealing request forge attacks...

CVE-2026-4092 Arbitrary File Write via Path Traversal in Google clasp leading to RCE

Path Traversal in Clasp impacting versions 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences...

PT-2026-25324

Arbitrary File Write via Path Traversal in Google clasp leading to RCE CVE: CVE-2026-4092 Vendor: Google Product: Clasp CVSS: 8.7 Credits: n/a Description: Path Traversal in Clasp impacting versions 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script...

WordPress Library Viewer plugin < 3.2.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Muhammad Rohan khan in WordPress Plugin Library Viewer versions 3.2.0...

CVE-2025-64320

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0...

Salesforce Agentforce Vibes Extension 安全漏洞

Salesforce Agentforce Vibes Extension is an AI-coded agent extension from Salesforce, Inc. in the United States. A security vulnerability exists in Salesforce Agentforce Vibes Extension versions prior to 3.2.0 that stems from improper neutralization of LLM prompt inputs, which could lead to code...

Linux Distros Unpatched Vulnerability : CVE-2014-2901

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. CVE-2014-2901 Note that Nessus relies on the presence of the package as...

Drupal Mail Login 安全漏洞

Drupal Mail Login is an email address login plugin for the Drupal community. A security vulnerability exists in Drupal Mail Login versions prior to 3.2.0 and prior to 4.2.0, which stems from an improperly restricted authentication attempt that could lead to a brute force cracking attack...

PT-2025-3394 · Wegia · Wegia

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.2.0 Description: The issue is related to Cross Site Scripting XSS via the dados addInfo parameter of the "documentos funcionario.php" endpoint. This allows for potential malicious script injection. Recommendations: F...

PT-2025-3395 · Wegia · Wegia

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.2.0 Description: The issue concerns SQL Injection in the query geracao auto.php file through the query parameter. This allows for potential exploitation. Recommendations: For versions prior to 3.2.0, update to versio...

Combodo iTop 跨站请求伪造漏洞

Combodo iTop is a set of open source web applications developed by Combodo France based on ITIL and used for the daily operation of IT environments. The program provides incident management, configuration management and problem management. A cross-site request forgery vulnerability exists in...

PT-2024-13409 · Itop +1 · Itop +1

Name of the Vulnerable Software and Affected Versions: iTop versions prior to 3.1.1 iTop versions prior to 3.2.0 Description: The issue allows an XSS attack to be performed when an object is displayed as an n:n relation item in another object, by filling malicious code in an object friendlyname o...

PT-2023-28375 · WordPress · Eventprime

Name of the Vulnerable Software and Affected Versions: EventPrime WordPress plugin versions prior to 3.2.0 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because some parameters are not properly sanitised and escaped before being outputted back in the pag...

CVE-2023-2752

Cross-site Scripting XSS - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta...

AZL-26730 CVE-2023-26964 affecting package kata-containers for versions less than 3.2.0.azl0-1

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RSTSTREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service DoS...

PT-2022-24104 · Node Red · Node-Red-Dashboard

Name of the Vulnerable Software and Affected Versions: node-red-dashboard versions prior to 3.2.0 Description: A cross-site scripting issue has been found in the node-red-dashboard, affecting the ui text Format Handler component, specifically in the file...

github-action-merge-dependabot 数据伪造问题漏洞

github-action-merge-dependabot is used to automatically approve and merge dependabot PRs. A security vulnerability exists in github-action-merge-dependabot versions prior to 3.2.0, which stems from the fact that it does not check whether commits created by dependabot are verified with the correct...

Mattermost Server is vulnerable to Uncontrolled Resource Consumption

An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang...