CVE-2025-66335

Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version...

CVE-2026-7729

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The...

CVE-2026-7728

A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function getdoccontent/readdoc/updatedoc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly...

CVE-2026-7446

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyzeresults/filterresults/exportresults/compareresults/scandirectory/createrule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command...

CVE-2026-7272

A flaw has been found in WilliamCloudQi matlab-mcp-server up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The affected element is the function generatematlabcode/executematlabcode of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument scriptPath can lead...

Incomplete List of Disallowed Inputs

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the server by bypassi...

Incomplete List of Disallowed Inputs

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the...

CVE-2026-7738

A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function createdocument/opendocument of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The...

CVE-2026-7600

A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yiicommandhelp/yiiexecutecommand of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publish...

CVE-2026-7645

A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function exportstate of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The...

CVE-2026-7738

A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function createdocument/opendocument of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The...

CVE-2026-7729

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The...

CVE-2026-7730

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...

CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...

EUVD-2026-26883

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The...

CVE-2026-7728 ryanjoachim mcp-rtfm MCP update_doc path traversal

A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function getdoccontent/readdoc/updatedoc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly...

CVE-2026-7728 ryanjoachim mcp-rtfm MCP update_doc path traversal

A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function getdoccontent/readdoc/updatedoc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly...

EUVD-2026-26882

A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function getdoccontent/readdoc/updatedoc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly...

CVE-2026-7715

A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arangobackup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The explo...

PT-2026-36759

Name of the Vulnerable Software and Affected Versions privsim mcp-test-runner version 0.2.0 Description A flaw in the MCP Interface component allows for remote OS command injection. This occurs through the manipulation of the command argument within the child process.spawn function located in the...