Lucene search
+L

102 matches found

NVD
NVD
added 2026/07/09 10:17 p.m.6 views

CVE-2026-55604

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS0.00225EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/09 9:13 p.m.8 views

CVE-2026-55604

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS6AI score0.00225EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/07/09 9:13 p.m.32 views

CVE-2026-55604 @arikusi/deepseek-mcp-server has an Authorization Bypass Through User-Controlled Key

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS0.00225EPSS
Exploits0References2
CVE
CVE
added 2026/07/09 9:13 p.m.12 views

CVE-2026-55604

DeepSeek MCP Server (DeepSeek V4) is vulnerable from v1.4.2 up to, but not including, v1.7.0. The issue stems from a process-global SessionStore that accepts caller-supplied session_id values without binding them to any authenticated principal or transport session. An attacker can enumerate activ...

8.6CVSS6AI score0.00225EPSS
Exploits0References2
OSV
OSV
added 2026/07/09 9:13 p.m.3 views

CVE-2026-55604 @arikusi/deepseek-mcp-server has an Authorization Bypass Through User-Controlled Key

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS6.1AI score0.00225EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/09 9:10 p.m.6 views

CVE-2026-55605

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.8.0, the self-hosted HTTP transport of @arikusi/deepseek-mcp-server exposes POST /mcp without any authentication: createMcpExpressApp is called without an authProvider and no middleware guards t...

5.3CVSS5.9AI score0.00429EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/07/09 9:10 p.m.37 views

CVE-2026-55605 @arikusi/deepseek-mcp-server Missing Authentication on Self-Hosted HTTP MCP Endpoint

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.8.0, the self-hosted HTTP transport of @arikusi/deepseek-mcp-server exposes POST /mcp without any authentication: createMcpExpressApp is called without an authProvider and no middleware guards t...

5.3CVSS0.00429EPSS
Exploits0References3
OSV
OSV
added 2026/07/09 9:10 p.m.4 views

CVE-2026-55605 @arikusi/deepseek-mcp-server Missing Authentication on Self-Hosted HTTP MCP Endpoint

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.8.0, the self-hosted HTTP transport of @arikusi/deepseek-mcp-server exposes POST /mcp without any authentication: createMcpExpressApp is called without an authProvider and no middleware guards t...

5.3CVSS6AI score0.00429EPSS
Exploits0References5
CVE
CVE
added 2026/07/09 9:10 p.m.11 views

CVE-2026-55605

Summary: CVE-2026-55605 affects the self-hosted HTTP transport of @arikusi/deepseek-mcp-server used with DeepSeek V4. starting in 1.4.2 and before 1.8.0, the POST /mcp endpoint is exposed without authentication due to createMcpExpressApp being called without an authProvider and missing route guar...

5.3CVSS5.9AI score0.00429EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.6 views

PT-2026-56971

Name of the Vulnerable Software and Affected Versions DeepSeek MCP Server versions 1.4.2 through 1.6.x Description The process-global SessionStore accepts caller-supplied session id values without binding them to an authenticated principal or transport session. This allows an attacker to enumerat...

8.6CVSS6.1AI score0.00225EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2026/07/01 12:59 p.m.28 views

AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining "unrealistic browser-malware concepts with a real browser capability" to turn it into a working ransomware technique that runs entirely inside the browser on both...

8.8CVSS7.2AI score0.99735EPSS
Exploits9
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 7:6 a.m.15 views

Malicious code in seekcode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f4fe5d868d0434123b1a29a739072fe0e0ec0f2efd1ceda4d2c16ccffecf105 When a user selects the advertised deepseek-cn provider, the package's defaultBaseUrlForProvider function in dist/chunk-6U42R724.js returns...

5.8AI score
Exploits0References3
OSV
OSV
added 2026/05/20 7:6 a.m.9 views

MAL-2026-4667 Malicious code in seekcode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f4fe5d868d0434123b1a29a739072fe0e0ec0f2efd1ceda4d2c16ccffecf105 When a user selects the advertised deepseek-cn provider, the package's defaultBaseUrlForProvider function in dist/chunk-6U42R724.js returns...

5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/14 8:29 p.m.25 views

Server-side Request Forgery (SSRF)

Overview deepseek-tui is an Install and run deepseek and deepseek-tui binaries from GitHub release artifacts. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl process. An attacker can gain unauthorized access to internal resources by supplying ...

7.4CVSS5.8AI score0.00239EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/14 8:29 p.m.15 views

DeepSeek TUI has SSRF‌ IPV6 bypass

Summary Although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://::1, the SSRF defenses do not work. Details...

7.4CVSS5.8AI score0.00239EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/05/14 8:29 p.m.36 views

Arbitrary Code Injection

Overview deepseek-tui is an Install and run deepseek and deepseek-tui binaries from GitHub release artifacts. Affected versions of this package are vulnerable to Arbitrary Code Injection via the runtests process. An attacker can execute arbitrary code by introducing malicious test code into a...

9.6CVSS6.2AI score0.00375EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/14 8:29 p.m.9 views

NPM: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval

NPM: DeepSeek TUI: runtests Tool Enables RCE via Malicious Repository Without Approval vulnerability discovered by ? in WordPress Npm deepseek-tui versions = 0.3.0, 0.8.23...

9.6CVSS5.8AI score0.00375EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/05/14 8:29 p.m.17 views

Server-side Request Forgery (SSRF)

Overview deepseek-tui is an Install and run deepseek and deepseek-tui binaries from GitHub release artifacts. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl process. An attacker can access sensitive internal resources by supplying a URL that...

7.4CVSS5.8AI score0.00226EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/14 8:29 p.m.10 views

NPM: DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool

NPM: DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetchurl Tool vulnerability discovered by ? in WordPress Npm deepseek-tui versions 0.8.22...

7.4CVSS5.8AI score0.00226EPSS
Exploits0References3Affected Software1
Packet Storm News
Packet Storm News
added 2026/03/30 12:0 a.m.16 views

Kill-Chain Canaries: Stage-Level Tracking of Prompt Injection across Attack Surfaces and Model Safety Tiers

We present a stage-decomposed analysis of prompt injection attacks against five frontier LLM agents. Prior work measures task-level attack success rate ASR; we localize the pipeline stage at which each model's defense activates. We instrument every run with a cryptographic canary token...

5.9AI score
Exploits0
Rows per page
Query Builder