GHSA-7XGW-6QF3-7W59 dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

Insertion of Sensitive Information into Log File

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the calltool process when file logging is enabled via the DBTMCPSERVERFILELOGGING setting. An...

PT-2026-41149

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.call tool in src/dbt mcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the cal...

CVE-2026-1540

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header...

EUVD-2019-2976

Malware in sbrugna...

EUVD-2000-0810

Malware in sbrugna...

EUVD-2024-15888

Malicious code in bioql PyPI...

Malicious code in file-logging (npm)

The package file-logging was found to contain malicious code...

MAL-2025-20548 Malicious code in file-logging (npm)

The package file-logging was found to contain malicious code...

Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory...

Exploit for Deserialization of Untrusted Data in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Log4Pot A honeypot for the Log4Shell vulnerability CVE-2021-44228. License: GPLv3.0 Features Listen on various ports for Log4Shell exploitation. Detect exploitation in request line and headers. Download exploit payloads recursively. Log to file and Azure blob storage. Usage 1. Install Poetry: cur...

CVE-2024-0087 CVE

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privilege...

BIT-FLUENTD-2021-41186 ReDoS vulnerability in parser_apache2

Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parserapache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service ReDoS vulnerability. A broken apache log with a certain pattern of string ca...

Design/Logic Flaw

In JetBrains PhpStorm before 2023.1 source code could be logged in the local idea.log file...

Wsh - Web Shell Generator And Command Line Interface

wsh pronounced woosh is a web shell generator and command line interface. This started off as just an http client since interacting with webshells is a pain. There's a form, to send a command you have to type in an input box and press a button. I wanted something that fits into my workflow better...

CRLF Injection

simplesamlphp/simplesamlphp is vulnerable to CRLF injection. The vulnerability exists as the file logging handler is configured to be used with simplesamlphp, allowing the unsanitized values of reportID to be used to inject newline characters into logs...

Log injection in SimpleSAMLphp

Background SimpleSAMLphp has a logging functionality that allows system administrators to keep track of the activity, errors, and statistics. Additionally, it allows users to report errors, shall they happen. An error report contains a report identifier, which is logged once submitted. Descriptio...

DEBIAN-CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...