Lucene search
+L

8 matches found

OSV
OSV
added 2026/05/14 6:24 p.m.7 views

GHSA-XPWW-F6PM-CFHQ dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary rundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independen...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/14 6:24 p.m.16 views

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary rundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independen...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.20 views

PT-2026-41148

Name of the Vulnerable Software and Affected Versions dbt-mcp version 1.15.1 Description The run dbt command function in src/dbt mcp/dbt cli/tools.py is susceptible to argument list injection. This occurs because user-supplied parameters are appended to the dbt subprocess argument list without...

6.3CVSS6.3AI score0.00137EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/02/03 3:18 p.m.12 views

CVE-2026-1117

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

8.2CVSS5.5AI score0.00436EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/02/02 12:31 p.m.10 views

Lollms has an Improper Access Control vulnerability

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

8.2CVSS5.5AI score0.00436EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/02/02 10:16 a.m.15 views

CVE-2026-1117

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

8.2CVSS0.00436EPSS
Exploits0References2
EUVD
EUVD
added 2026/02/02 9:55 a.m.9 views

EUVD-2026-5096

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

8.2CVSS5.5AI score0.00436EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/02 12:0 a.m.11 views

PT-2026-5648

Name of the Vulnerable Software and Affected Versions parisneo/lollms version 5.9.0 Description A flaw exists in the lollms generation events.py component that permits unauthenticated access to sensitive Socket.IO events. The add events function registers event handlers – generate text, cancel...

8.2CVSS7.1AI score0.00436EPSS
Exploits0References14
Rows per page
Query Builder