Lucene search
K

4 matches found

EUVD
EUVD
added 2026/05/21 8:24 p.m.12 views

EUVD-2026-31340

Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...

7.5CVSS5.7AI score0.00132EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/03/28 12:25 a.m.6 views

SUSE CVE-2026-33252

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS5.9AI score0.00178EPSS
Exploits0References3
NVD
NVD
added 2026/03/24 12:16 a.m.3 views

CVE-2026-33252

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS0.00178EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/23 11:44 p.m.3 views

EUVD-2026-14643

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS5.8AI score0.00178EPSS
Exploits0References2
Rows per page
Query Builder