Malicious code in 0x2ai-multi-mq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649 When the documented invocation npx 0x2ai-multi-mq is run, bin/start.cjs copies chatroom-mcp-lite-patched.cjs and chatroom-monitor.cjs into the user's...

MAL-2026-5601 Malicious code in 0x2ai-multi-q (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6 Running npx 0x2ai-multi-q the package's documented invocation spawns claude --dangerously-skip-permissions and writes a .mcp.json into the user's...

CVE-2026-7386

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

CVE-2026-7386

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

CVE-2026-7386 fatbobman mail-mcp-bridge mail_mcp_server.py path traversal

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

CVE-2026-7386 fatbobman mail-mcp-bridge mail_mcp_server.py path traversal

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

CVE-2026-7386

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

EUVD-2026-26250

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument messageids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

PT-2026-35939

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail mcp server.py. Executing a manipulation of the argument message ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used...

CVE-2026-7216

A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processingserver.py of the component createsketch Tool. This manipulation of the argument sketchname causes path traversal. Remote...

CVE-2026-7216 donchelo processing-claude-mcp-bridge create_sketch Tool processing_server.py path traversal

A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processingserver.py of the component createsketch Tool. This manipulation of the argument sketchname causes path traversal. Remote...

EUVD-2026-25972

A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processingserver.py of the component createsketch Tool. This manipulation of the argument sketchname causes path traversal. Remote...

MCP Connect has unauthenticated remote OS command execution via /bridge endpoint

Summary When AUTHTOKEN and ACCESSTOKEN environment variables are not set which is the default out-of-the-box configuration the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the...

@autolabz/mcp-bridge (>=1.0.8 <=1.0.9) potentially affected by unknown CVE via mcp-bridge (=1.0.0)

mcp-bridge NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on mcp-bridge and may be impacted: - @autolabz/mcp-bridge =1.0.8, =1.0.9 Source cves: unknown CVE Source advisory: OSV:GHSA-WVR4-3WQ4-GPC5...

@anngdinh/remote-mcp-server-authless (=0.0.0), @aredes.me/mcp-camara (=1.0.6) +140 more potentially affected by unknown CVE via agents (>=0.0.100 <=0.2.35)

agents NPM version =0.0.100, =0.4.0, =1.1.1, =0.1.0, =0.2.0, =0.1.0, =0.0.1, =1.0.2, =1.0.1, =1.0.27 - @famma/mcp-auth =0.0.4 and more Source cves: unknown CVE Source advisory: SNYK:JS-AGENTS-15282793...