Security update for go1.25

This update for go1.25 fixes the following issues Security issues: CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. CVE-2026-39817: cmd/go: "go tool pack" does not...

EUVD-2026-30488

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...

CVE-2026-44430 MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...

CVE-2026-44430

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...

GHSA-R8J5-8747-88CM @utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Summary The @utcp/http package is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual validates the discovery URL against an HTTPS / loopback allowlist, but callTool reuses the resolved...

Server-side Request Forgery (SSRF)

Overview @utcp/http is a HTTP utilities for UTCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the OpenApiConverter process. An attacker can access internal network resources and sensitive metadata endpoints by supplying a malicious OpenAPI specification...

NPM: DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool

NPM: DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetchurl Tool vulnerability discovered by ? in WordPress Npm deepseek-tui versions 0.8.22...

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization via the bypassfilter parameter in the HTTP query string, which is unintentionally exposed in the route handler. An attacker can gain unauthorized access to restricted models by appendin...

CLSA-2026-1778768341 python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

CLSA-2026-1778789558 httpd: Fix of CVE-2022-36760

CVE-2022-36760: modproxyajp: fix possible request smuggling via invalid Transfer-Encoding...

CVE-2026-44661

CVE-2026-44661 affects python-utcp (utcp-http plugin) prior to v1.1.3. The vulnerability arises because register_manual() validates discovery URLs against an HTTPS/loopback allowlist, while call_tool()/call_tool_streaming() reuse tool_call_template.url without revalidation and the OpenAPI convert...

Malicious code in rimraf-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a59d88d733415216903578b3c3806d76405a23a7cca56ee355eb6725e4e930d4 [email protected] impersonates the widely-installed rimraf package index.js is a dummy stub that internally identifies itself as 'lodash-js — Just a...

python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

CLSA-2026-1778786567 curl: Fix of 2 CVEs

CVE-2018-1000120: fix buffer overflow exists in the FTP URL handling - CVE-2018-1000007: fix leak authentication data to third parties in HTTP requests...

MAL-2026-3747 Malicious code in @aiscene/aiserver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 542fdb1c23b52adda0ed5164b65c9768aef7a5edd45473f9cd3ceab3065b1bb3 When the installed aiserver tool is started via its bin, npm start, or loading dist/index.js, it registers the host with a hardcoded remote controlle...

CVE-2026-44516

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers...

CVE-2026-44516 Valtimo: Sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers...

Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization

Summary Portainer proxies requests to Kubernetes clusters through a middleware layer kubeClientMiddleware that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missi...

NPM: n8n: HTTP Request Node Pagination Prototype Pollution to RCE

NPM: n8n: HTTP Request Node Pagination Prototype Pollution to RCE vulnerability discovered by ? in WordPress Npm n8n versions 1.123.43...

n8n: HTTP Request Node Pagination Prototype Pollution to RCE

Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. Patches The issue has been fixed in n8n...