78 matches found
CVE-2026-7439
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...
CVE-2026-7439
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...
EUVD-2026-26278
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...
PT-2026-35970
Name of the Vulnerable Software and Affected Versions AgentFlow affected versions not specified Description The local web API fails to enforce application/json validation for non-JSON content types on the 'POST /api/runs' and 'POST /api/runs/validate' endpoints. This allows attackers to bypass...
CVE-2026-33252 MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...
EUVD-2025-198335
Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user...
CVE-2025-52667
Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user...
EUVD-2020-0240
Malware in sbrugna...
EUVD-2021-10146
Malware in sbrugna...
EUVD-2019-0779
Malware in sbrugna...
Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: mod_security (UTSA-2025-180756)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-180756 advisory. ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to...
EUVD-2022-5018
Malicious code in bioql PyPI...
EUVD-2023-29440
Malicious code in bioql PyPI...
EUVD-2024-37574
Malicious code in bioql PyPI...
EUVD-2022-37709
Malicious code in bioql PyPI...
EUVD-2024-46779
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2025-47947
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable t...
Important: mod_security
Issue Overview: ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case in stable released versions: when the payload's content type is application/json,...
FreeBSD : ModSecurity -- possible DoS vulnerability (ecea70d2-42fe-11f0-a9fa-b42e991fc52e)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ecea70d2-42fe-11f0-a9fa-b42e991fc52e advisory. [email protected] reports: ModSecurity is an open source, cross platform web application...
SUSE CVE-2025-47947
ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case in stable released versions: when the payload's content type is application/json, and there is at...