MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL

Summary The MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host...

Security Bulletin: NVIDIA Triton Inference Server - December 2025

NVIDIA has released a software update for NVIDIA Triton Inference Server to address the issue disclosed in this bulletin. To protect your system, install the latest release from the Triton Inference Server Releases page on GitHub, and view the Secure Deployment Considerations Guide. Go to NVIDIA...

CVE-2025-66401

MCP Watch is a comprehensive security scanner for Model Context Protocol MCP servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via...

GHSA-662M-56V4-3R8F

creationtimestamp| type| source ---|---|--- 2025-12-01 21:04:49+00:00| seen| https://infosec.exchange/users/cR0w/statuses/115646338745778362...

CVE-2025-66297

creationtimestamp| type| source ---|---|--- 2025-12-01 15:55:48+00:00| published-proof-of-concept| https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6...

⚡ Weekly Recap: Hot CVEs, npm Worm Returns, Firefox RCE, M365 Email Raid & More

Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest...

CVE-2018-17082

creationtimestamp| type| source ---|---|--- 2025-12-01 07:51:52+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2018/CVE-2018-17082.yaml 2025-12-02 21:02:28+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3m6ztowc7ky2w 2026-01-27...

PT-2025-48575

Name of the Vulnerable Software and Affected Versions MCP Watch versions 0.1.2 and earlier Description MCP Watch, a security scanner for Model Context Protocol MCP servers, contains a Command Injection issue in the cloneRepo method of the MCPScanner class. The application directly passes the...

CVE-2023-41954

creationtimestamp| type| source ---|---|--- 2025-11-29 23:34:16+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2023/CVE-2023-41954.yaml 2025-12-01 21:02:38+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3m6xda5caqj2w...

CVE-2019-25213

creationtimestamp| type| source ---|---|--- 2025-11-29 18:33:45+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2019/CVE-2019-25213.yaml 2025-12-01 21:02:31+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3m6xda4hvzu2e 2025-12-02...

[SECURITY] Fedora 42 Update: migrate-4.19.0-1.fc42

Go database migrations library and program. This package is built with the following databases backends: cassandra cockroachdb mongodb mysql postgres redshift sqlite3 sqlite This package is built with the following source backends: github gitlab go-bindata godoc-vfs gcs iofs pkger s3...

[SECURITY] Fedora 43 Update: migrate-4.19.0-1.fc43

Go database migrations library and program. This package is built with the following databases backends: cassandra cockroachdb mongodb mysql postgres redshift sqlite3 sqlite This package is built with the following source backends: github gitlab go-bindata godoc-vfs gcs iofs pkger s3...

CVE-2025-10210

creationtimestamp| type| source ---|---|--- 2025-11-29 09:24:53+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2025/CVE-2025-10210.yaml 2025-12-01 21:02:39+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3m6xda5kwa52g...

GHSA-M449-CWJH-6PW7 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-M449-CWJH-6PW7 vulnerabilities

Vulnerabilities for packages: open-webui, nemo...

CVE-2025-13595

The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizadorgit.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite...

CVE-2025-13597

The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizadorgit.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite...

Malicious code in org.mvnpm:posthog-node (Maven)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2 This package was compromised by the Sha1-Hulud: The Second Coming NPM worm. The malicious payload steals tokens and credentials and...

MAL-2025-191470 Malicious code in org.mvnpm:posthog-node (Maven)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2 This package was compromised by the Sha1-Hulud: The Second Coming NPM worm. The malicious payload steals tokens and credentials and...

Malicious code in @lokeswari-satyanarayanan/rn-zustand-expo-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73fe3bd99e2f11ab8bb09a9086c4dca8af56372031492ed11d90f1e32a0e8f53 The package @lokeswari-satyanarayanan/rn-zustand-expo-template was found to contain malicious code. Source: google-open-source-security...