7 matches found
CVE-2026-43995
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axios instead of using the secured wrapper. These tools include 1 OpenAPIToolkit/OpenAPIToolkit.ts, 2...
CVE-2026-43995 Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axios instead of using the secured wrapper. These tools include 1 OpenAPIToolkit/OpenAPIToolkit.ts, 2...
ai.telosforge:kimaira-starter-agentic (>=1.2.4 <=1.2.6), ai.telosforge:kimaira-starter-agentic-factory (>=1.2.4 <=1.2.6) +367 more potentially affected by CVE-2026-35568 via io.modelcontextprotocol.sdk:mcp-core (>=0.13.0 <=0.17.2)
io.modelcontextprotocol.sdk:mcp-core MAVEN version =0.13.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =0.0.1, =0.1.0, =0.3.0, =2.0.0-beta.7, =1.1.0.0, =1.1.0.0, =1.1.2.2-retriever2 and more Source cves: CVE-2026-35568 Source advisory: SNYK:JAVA-IOMODELCONTEXTPROTOCOLSDK-15928845...
com.agentsflex:agents-flex-bom (=2.1.1), com.agentsflex:agents-flex-mcp (>=2.0.0 <=2.1.1) +22 more potentially affected by CVE-2026-34237 via io.modelcontextprotocol.sdk:mcp-core (>=1.0.0-RC3 <=1.0.0)
io.modelcontextprotocol.sdk:mcp-core MAVEN version =1.0.0-RC3, =2.0.0, =0.1.1, =0.1.1, =0.158.v8e18e64dd93c, =1.0.0, =1.0.0, =1.0.0, =1.0.0-RC3 and more Source cves: CVE-2026-34237 Source advisory: SNYK:JAVA-IOMODELCONTEXTPROTOCOLSDK-15857186...
ai.agentican:agentican-framework-core (>=0.1.0-alpha.1 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +122 more potentially affected by CVE-2026-34237 via io.modelcontextprotocol.sdk:mcp-core (=1.1.0)
io.modelcontextprotocol.sdk:mcp-core MAVEN version =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on io.modelcontextprotocol.sdk:mcp-core and may be impacted: - ai.agentican:agentican-framework-core =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1,...
ai.agentican:agentican-framework-core (>=0.1.0-alpha.1 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +122 more potentially affected by CVE-2026-34237 via io.modelcontextprotocol.sdk:mcp-core (=1.1.0)
io.modelcontextprotocol.sdk:mcp-core MAVEN version =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on io.modelcontextprotocol.sdk:mcp-core and may be impacted: - ai.agentican:agentican-framework-core =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1,...
Permissive Cross-domain Policy with Untrusted Domains
Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes. An attacker can access sensitive session information by leveraging a malicious...