DesDev DedeCMS 安全漏洞

DesDev DedeCMS is an open-source content management system CMS developed by DesDev Corporation in China. It is built using PHP. This system offers functions such as content publishing, content management, content editing, and content retrieval. Version 5.7.118 of DesDev DedeCMS contains a securit...

CVE-2026-38615

CVE-2026-38615 affects DedeCMS v5.7.118 with a command execution vulnerability in file_manage_control.php. Public sources confirm the issue but do not provide detailed exploitation steps or concrete remediation in the supplied documents. The CVSSv3.1 metrics indicate a high-severity, network-expl...

PT-2026-47086

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description A low-privilege MCP token holder with knowledge of an attachment path can read any file in shared storage, including attachments from other bases and workspaces. This occurs because the MCP...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send route. An attacker can perform unauthorized privileged actions by leveraging inherited external routes to bypass required scope checks, enabling...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.5.18 contained security vulnerabilities. These vulnerabilities stemmed from a range-bypass vulnerability in the Gateway chat.send route, allowing clients with restricted ranges to...

MAL-2026-4649 Malicious code in promptbook-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1223e123a8bd5b550647d800b438b2c5a78f3e10c9d1ab7a6a7cdbd8be465b90 dist/api.js contains a hardcoded URL https://promts.newtechcompany.ru referenced alongside process.env reads and a fetch call at line 44. The package...

GHSA-FHH6-4QXV-RPQJ 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

Summary 9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required. The vulnerability exists because the Next.js...

@squawk/mcp (>=0.2.0 <=0.9.0) potentially affected by unknown CVE via @squawk/flight-math (=0.5.3)

@squawk/flight-math NPM version =0.5.3 is affected by a known vulnerability. The following packages have a transitive dependency on @squawk/flight-math and may be impacted: - @squawk/mcp =0.2.0, =0.9.0 Source cves: unknown CVE Source advisory: SNYK:JS-SQUAWKFLIGHTMATH-16640879...

CVE-2026-5382

An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N 3.0 Low. This issue was fixed in...

CVE-2026-5374 runZero Platform MCP information leak

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...

(0Day) Microsoft Azure MCP AzureCliService Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Azure. Authentication is not required to exploit this vulnerability. The specific flaw exists within the azure-cli-mcp component. The issue results from the lack of proper validation of a...

EUVD-2025-208759

FastMCP OAuth Proxy token reuse across MCP servers...

EUVD-2005-4520

Malware in sbrugna...

EUVD-2018-4029

Malware in sbrugna...

PT-2025-40609

Name of the Vulnerable Software and Affected Versions win-cli-mcp-server affected versions not specified Description The software contains a command injection flaw within the resolveCommandPath function. This allows for remote code execution. The issue was discovered by Peter Girnus of Trend...

CVE-2024-39911 1Panel SQL injection

1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability...

PT-2024-26521 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7.114 Description: The issue is related to an arbitrary file upload vulnerability in the /dede/file manage control.php file. This vulnerability allows attackers to execute arbitrary code by uploading a crafted file...

DedeBIZ Code Execution Vulnerability

DedeBIZ is a content management system from China Muyun Intelligent Technology DedeBIZ company. A code execution vulnerability exists in DedeBIZ version v6.2.11, which stems from the $activepath and $filename parameters in /admin/filemanagecontrol.php failing to correctly filter the special...

DedeCMS 安全漏洞

Desdev DedeCMS Dream Weaving Content Management System is a PHP-based open-source content management system CMS of China Zhuozhuo network Desdev company. The system has content publishing, content management, content editing and content retrieval functions. A security vulnerability exists in...

The vulnerability of D-Link DIR878 router’s microprogramming software, related to the lack of measures taken to clean data at the management level, allows a hacker to execute arbitrary code.

The vulnerability of D-Link DIR878 router’s microprogramming software is related to the lack of measures taken to clean data at the control level. Exploiting this vulnerability allows a malicious actor to execute arbitrary code using the /bin/proc.cgi parameter...