CVE-2026-27124

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...

Malicious code in mgc (npm)

Package fetches platform-specific stage-2 payloads from a GitHub Gist. The stage-2 payloads are full Remote Access Trojans RATs for Linux Python and Windows PowerShell that beacon to a C2 server, exfiltrate system information, enumerate directories, execute arbitrary commands, and support binary...

MAL-2026-2449 Malicious code in mgc (npm)

Package fetches platform-specific stage-2 payloads from a GitHub Gist. The stage-2 payloads are full Remote Access Trojans RATs for Linux Python and Windows PowerShell that beacon to a C2 server, exfiltrate system information, enumerate directories, execute arbitrary commands, and support binary...

GHSA-98CH-45WP-CH47

creationtimestamp| type| source ---|---|--- 2026-04-02 22:22:27+00:00| published-proof-of-concept| Telegram/LEqzgESE2wGHUVmUGbeDXDuSp8F8SqNkH2O3nuA9SKVO2A...

GHSA-MV6H-V3JG-G539

creationtimestamp| type| source ---|---|--- 2026-04-02 19:26:58+00:00| published-proof-of-concept| Telegram/7DVhAvDfvaCSFfrp-315YEAfd2kaZp9OZJgmE0wwvo2i8o...

GHSA-Q3P6-G7C4-829C

creationtimestamp| type| source ---|---|--- 2026-04-02 19:26:18+00:00| seen| Telegram/zX6Kqs44rDek2r3jgp5vCS4jdZwe09icUbxsylGXOdI3O8...

GHSA-9P23-P2M4-2R4M

creationtimestamp| type| source ---|---|--- 2026-04-02 19:26:18+00:00| seen| Telegram/zX6Kqs44rDek2r3jgp5vCS4jdZwe09icUbxsylGXOdI3O8...

GO-2026-4912 Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet

Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet...

GO-2026-4911 Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF) in github.com/docker/model-runner

Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery SSRF in github.com/docker/model-runner...

GO-2026-4904 nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI

nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI...

GO-2026-4916 Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

GO-2026-4903 nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI

nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI...

GO-2026-4873 Ella Core has Privilege Escalation via Database Restore by NetworkManager role in github.com/ellanetworks/core

Ella Core has Privilege Escalation via Database Restore by NetworkManager role in github.com/ellanetworks/core...

GO-2026-4901 nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui...

GO-2026-4913 Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet

Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet...

GO-2026-4906 nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI

nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI...

CVE-2026-35452

creationtimestamp| type| source ---|---|--- 2026-04-02 18:01:54+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-99j6-hj87-6fcf...

CVE-2026-35448

creationtimestamp| type| source ---|---|--- 2026-04-02 17:52:54+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview fast-filesystem-mcp is a Fast Filesystem MCP Server - Advanced file operations with Auto-Chunking, Sequential Reading, complex file operations copy, move, delete, batch, compress, optimized for Claude Desktop Affected versions of this package are vulnerable to Improper Neutralization of...

Why GitHub Developers Are Targeted by Token Giveaway Scams

GitHub developers face rising giveaway scams. Verify repos, links, and maintainers before acting. Avoid rushed clicks, fake rewards, and risky wallet actions...