EUVD-2026-30493

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher...

EUVD-2026-19869

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validateenrichmenturl function in src/handler/http/request/enrichmenttable/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets e.g. "::1" not "::1". An authenticated...

GHSA-7R34-79R5-RCC9 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers

Summary An unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an Authorization header. No authentication is required. The...

MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers

Summary An unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an Authorization header. No authentication is required. The...

CVE-2026-26202 Penpot has Arbitrary File Read via create-font-variant RPC endpoint

Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path e.g. /etc/passwd as a font data chunk in the create-font-variant RPC endpoint, resulting in the file...

zot logs secrets

Summary When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Details Container Image 15.04.2025: ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the abov...

PT-2024-4478 · Westermo · Westermo Edw-100

Name of the Vulnerable Software and Affected Versions: Westermo EDW-100 devices through 2024-05-03 Description: The issue is related to a hidden root user account with a hardcoded password that cannot be changed in Westermo EDW-100 devices. This could allow a remote attacker to disclose informati...

PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application

It was identified that PicketBox/JBossSX allowed any deployed application to alter or read the underlying application server configuration and state without any authorization checks. An attacker able to deploy applications could use this flaw to circumvent security constraints applied to other...