CVE-2026-8719

The CVE describes a Privilege Escalation in AI Engine 3.4.9 (WordPress plugin: The Chatbot, AI Framework & MCP for WordPress). Root cause: missing WordPress capability enforcement in the MCP OAuth Bearer Token path, allowing any valid OAuth token to grant MCP access without admin privileges. Impa...

GHSA-89VP-X53W-74FX rmcp Streamable HTTP server transport has a DNS rebinding vulnerability

Summary Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport crates/rmcp/src/transport/streamablehttpserver/ did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running...

GHSA-VF6J-C56P-CQ58 MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token

Impact Disclosure of Salesforce OAuth bearer tokens used by the MCP. Patches fix applied in 0.1.10 Workarounds Rotate any Salesforce tokens/credentials used by MCP-Salesforce...