CVE-2026-54842 WordPress Royal MCP plugin <= 1.4.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25...

CVE-2026-54842

The CVE describes a Missing Authorization vulnerability in the WordPress Royal MCP plugin (Royal MCP) affecting versions up to 1.4.25. The issue is categorized as Broken Access Control with a CVSS v3.1 base score of 8.1 (HIGH), with network attack vector, low attack complexity, and privileges req...

EUVD-2026-39387

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25...

mcp-atlassian < 0.17.0 - Server-Side Request Forgery

MCP Atlassian 0.17.0 contains a server-side request forgery caused by improper validation of custom HTTP headers in the HTTP middleware, letting unauthenticated attackers force outbound requests to arbitrary URLs, exploit requires access to the mcp-atlassian HTTP endpoint. id: CVE-2026-27826 info...

Nginx UI - Broken Access Control

Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover. id: CVE-2026-33032 info: name: Nginx UI - Broken Access Control author: DhiyaneshDk severity: critical description: | Network attackers can fully control ngi...

MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. id...

LiteLLM - Command Injection

A critical unauthenticated remote code execution vulnerability exists in LiteLLM due to improper input handling in the MCP stdio test endpoint. An attacker can send a specially crafted request to the /mcp-rest/test/connection endpoint with controlled parameters, resulting in arbitrary command...

Flowise - Remote Code Execution

Flowise 3.0.5 contains a remote code execution vulnerability caused by unsafe evaluation of user input in the CustomMCP node's convertToValidJSONString function, letting remote attackers execute arbitrary code with full Node.js privileges, exploit requires user input to be processed by the...

CVE-2026-53765

CVE-2026-53765 / GHSA-3PVJ-JV98-QHJQ affects chrome-devtools-mcp (Chrome DevTools for agents). The vulnerability occurs when the daemon writes its PID file to a deterministic runtime path under /tmp on POSIX systems (macOS or Linux with XDG_RUNTIME_DIR unset). The code uses fs.writeFileSync() wit...

CVE-2026-57300

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

CVE-2026-57300

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-12112

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...

EUVD-2026-38603

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-9073

Foreman-mcp-server (MCP server) contains a log-related vulnerability that can leak sensitive credentials via log files. Two separate logging paths are involved: (1) session identifiers are logged at informational level and treated as authentication credentials, and (2) debug logging partially san...

CVE-2026-9073 Foreman-mcp-server: mcp server: insecure sensitive http header sanitization

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-12112

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...

CVE-2026-12112

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...