Lucene search
+L

33 matches found

osv
osv
added 2026/06/26 4:33 p.m.3 views

CVE-2026-48529 GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from differe...

6CVSS6AI score0.00205EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/26 4:33 p.m.36 views

CVE-2026-48529 GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from differe...

6CVSS0.00205EPSS
Exploits0References1
cve
cve
added 2026/06/26 4:33 p.m.24 views

CVE-2026-48529

GitHub MCP Server (versions 0.22.0–1.1.2) in HTTP mode with --lockdown-mode stores RepoAccessCache as a process-global singleton initialized with the first authenticated user’s GraphQL client. All subsequent requests reuse that singleton, causing lockdown queries to run with the first user’s toke...

6CVSS5.8AI score0.00205EPSS
Exploits0References1
osv
osv
added 2026/06/25 9:32 p.m.5 views

GHSA-PJP5-FPMR-3349 GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

Summary When running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL...

6CVSS5.9AI score0.00205EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/25 12:0 a.m.10 views

PT-2026-52644

Name of the Vulnerable Software and Affected Versions GitHub MCP Server versions 0.22.0 through 1.1.1 Description When operating in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton. This singleton is initialized using the GraphQL client of t...

6CVSS5.7AI score0.00205EPSS
Exploits0References7
ossf
ossf
added 2025/10/30 5:38 p.m.9 views

Malicious code in egstore-graphql-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a8f78f2a6abccca4b462d391732c3bc43094be0be51d4d3cc06a1686d1b554e The package egstore-graphql-client was found to contain malicious code...

7AI score
Exploits0
euvd
euvd
added 2025/10/30 5:38 p.m.7 views

EUVD-2025-37182

Malicious code in egstore-graphql-client npm...

6.6AI score
Exploits0
osv
osv
added 2025/10/30 5:38 p.m.5 views

MAL-2025-49111 Malicious code in egstore-graphql-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a8f78f2a6abccca4b462d391732c3bc43094be0be51d4d3cc06a1686d1b554e The package egstore-graphql-client was found to contain malicious code...

7AI score
Exploits0
euvd
euvd
added 2025/10/03 8:7 p.m.9 views

EUVD-2023-48171

Malicious code in bioql PyPI...

7.8CVSS7.6AI score0.002EPSS
Exploits0References2
euvd
euvd
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-52315

Malicious code in bioql PyPI...

6.8CVSS6.6AI score0.00182EPSS
Exploits0References2
euvd
euvd
added 2025/10/03 8:7 p.m.9 views

EUVD-2024-0403

Malicious code in bioql PyPI...

7.2CVSS6.5AI score0.00355EPSS
Exploits0References4
redhatcve
redhatcve
added 2025/05/23 8:12 a.m.19 views

CVE-2024-54147

Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks eg. public wifi, malicious DNS servers may have all GraphQL...

6.8CVSS6.9AI score0.00182EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/05/23 4:25 a.m.17 views

CVE-2023-43799

Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the...

7.8CVSS6.8AI score0.002EPSS
Exploits0
redhat
redhat
added 2025/04/01 3:15 p.m.6 views

graphql-ruby: Remote code execution when loading a crafted GraphQL schema

A flaw was found in graphql-ruby. In affected versions of graphq-ruby, loading a malicious schema definition in the GraphQL::Schema.fromintrospection or the GraphQL::Schema::Loader.load can cause remote code execution. Any system that loads a schema by JSON from an untrusted source is vulnerable,...

9CVSS6.1AI score0.02865EPSS
Exploits2References13
osv
osv
added 2025/03/12 7:15 p.m.4 views

DEBIAN-CVE-2025-27407

graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in GraphQL::Schema.fromintrospection or GraphQL::Schema::Loader.load can result in remote code...

9CVSS9.1AI score0.02865EPSS
Exploits2References1
redhatcve
redhatcve
added 2025/02/05 2:21 a.m.10 views

CVE-2024-24556

urql is a GraphQL client that exposes a set of helpers for several frameworks. The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses non-RSC. This vulnerability is...

7.2CVSS6.9AI score0.00355EPSS
Exploits0References1
nvd
nvd
added 2024/12/09 7:15 p.m.37 views

CVE-2024-54147

Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks eg. public wifi, malicious DNS servers may have all GraphQL...

6.8CVSS0.00182EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2024/12/09 6:55 p.m.12 views

CVE-2024-54147 Altair GraphQL Client's desktop app does not validate HTTPS certificates

Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks eg. public wifi, malicious DNS servers may have all GraphQL...

6.8CVSS7AI score0.00182EPSS
Exploits0References2
cve
cve
added 2024/12/09 6:55 p.m.105 views

CVE-2024-54147

The CVE-2024-54147 entry covers Altair GraphQL Client (desktop) prior to version 8.0.5, where the application does not validate HTTPS certificates. This weakness enables a man-in-the-middle on untrusted networks to intercept GraphQL request/response headers and bodies (including authorization tok...

6.8CVSS6.6AI score0.00182EPSS
Exploits0References2
cvelist
cvelist
added 2024/12/09 6:55 p.m.51 views

CVE-2024-54147 Altair GraphQL Client's desktop app does not validate HTTPS certificates

Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks eg. public wifi, malicious DNS servers may have all GraphQL...

6.8CVSS0.00182EPSS
Exploits0References2
Rows per page
Query Builder