Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

The Model Context Protocol MCP TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled...

EUVD-2014-6765

Malware in sbrugna...

EUVD-2022-7366

Malicious code in bioql PyPI...

TencentOS Server 3: nodejs (TSSA-2023:0002)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2023:0002 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

CVE-2018-10813

In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this...

CVE-2014-6887

The EXPRESS aka com.gpshopper.express.android application 2.5.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Oracle Application Express (Apex) CVE-2010-0076

An unspecified vulnerability in version 3.2.1 of the Application Express Application Builder component of Oracle Database allows remote, authenticated users to affect confidentiality, integrity, and availability via unpublished vectors...