Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 commit c12686e181f231cf8d7bcf836a96d78f0f0877ac | Summary The MCP SSE server defaults to an empty secret...

AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

Summary The getRealIpAddr function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Vulnerable Code File:...

PT-2024-28732 · Npm · @Jmondi/Url-To-Png

Name of the Vulnerable Software and Affected Versions: @jmondi/url-to-png versions prior to 2.1.1 Description: The issue concerns the ALLOW LIST in the @jmondi/url-to-png package, which permits capturing screenshots of web services running on localhost, 127.0.0.1, or the :: by default. If hosted ...

PT-2022-13422 · Unknown · Calibre-Web

Name of the Vulnerable Software and Affected Versions: calibre-web versions prior to 0.6.17 Description: The issue is related to Server-Side Request Forgery SSRF in the GitHub repository janeczku/calibre-web. This is due to an incomplete fix, which results in the blacklist not checking for 0.0.0....