CVE-2026-49291

mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call...

CVE-2026-49291

mcp-memory-service (semantic memory layer for AI apps) exposed the HTTP MCP JSON-RPC endpoint at /mcp such that OAuth read scope allowed mutating actions. Before patch 10.65.3, a read-only OAuth client could invoke tools/call to reach store_memory and delete_memory, bypassing REST write scope che...

CVE-2026-44830

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

EUVD-2026-32520

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

CVE-2026-31244

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories/memoryid. The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by...

EUVD-2026-29564

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

EUVD-2026-29563

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

CVE-2026-31240

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

mem0 安全漏洞

mem0 is an open-source benchmark tool for efficient memory algorithms developed by Mem0. Version 1.0.0 of mem0 contains a security vulnerability. This vulnerability stems from the lack of authentication and authorization controls in the memory reset function. Unauthorized attackers could exploit...

CVE-2026-31244

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories/memoryid. The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by...

CVE-2025-61863

An out-of-bounds read vulnerability exists in VS6ComFile!CSaveData::deletemem of V-SFT v6.2.7.0 and earlier. Opening specially crafted V-SFT files may lead to information disclosure, affected system's abnormal end ABEND, and arbitrary code execution...

welpwn

This is an exploit module for a vulnerability in a binary, targeting a heap-based buffer overflow. The module is part of the PwnContext framework, which is a Python library for exploitation and reverse engineering. The module is designed to exploit a vulnerability in a binary that allows for a...