GHSA-RWC2-F344-Q6W6 serverless MCP Server vulnerable to Command Injection in list-projects tool

Summary A command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This vulnerability only affects users of the experimental MCP server feature serverless mcp, which represents less than 0.1% of Serverless Framework users. The core Serverle...

serverless MCP Server vulnerable to Command Injection in list-projects tool

Summary A command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This vulnerability only affects users of the experimental MCP server feature serverless mcp, which represents less than 0.1% of Serverless Framework users. The core Serverle...

CVE-2025-69256 serverless MCP Server vulnerable to command injection in list-projects tool

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

CVE-2025-69256

CVE-2025-69256 : The Serverless Framework MCP Server vulnerability enables command injection via unsanitized user input in the list-projects tool. The issue arises when building shell commands with workspaceRoots (user-controlled) and calling child_process.exec without proper sanitization, allowi...

CVE-2025-69256 serverless MCP Server vulnerable to command injection in list-projects tool

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

CVE-2025-69256 serverless MCP Server vulnerable to command injection in list-projects tool

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

CVE-2025-8791

A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/listprojects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization over the /auth/listprojects endpoint. A user can perform unauthorized actions beyond their intended permissions by changing the role argument from Viewer to Owner. Remediation There is no fixed version for...

CVE-2025-8791

A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/listprojects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been...

CVE-2025-8791

A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/listprojects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been...

CVE-2025-8791

CVE-2025-8791 affects LitmusChaos up to version 3.19.0. The vulnerability is an improper authorization flaw in the /auth/list_projects endpoint caused by manipulating the role parameter, enabling remote, unauthenticated-like actions with low privileges. Exploitation is possible and the exploit ha...

CVE-2025-8791 LitmusChaos Litmus list_projects improper authorization

A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/listprojects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been...

CVE-2025-8791 LitmusChaos Litmus list_projects improper authorization

A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/listprojects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been...

LitmusChaos 安全漏洞

LitmusChaos is a program open-sourced by Litmus Chaos that practices chaos engineering in a cloud-native manner. A security vulnerability exists in LitmusChaos 3.19.0 and earlier versions, which stems from improper handling of the parameter roles in the file /auth/listprojects, which could lead t...

PT-2025-32465 · Unknown · Litmuschaos

Name of the Vulnerable Software and Affected Versions: LitmusChaos versions prior to 3.19.0 Description: A critical issue exists in LitmusChaos related to improper authorization. The vulnerability stems from the manipulation of the role argument during the processing of the /auth/list projects AP...

CVE-2022-44956

webtareas 2.4p5 was discovered to contain a cross-site scripting XSS vulnerability in the component /projects/listprojects.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...