GHSA-P3H2-2J4P-P83G MCPHub has Path Traversal via Malicious MCPB Manifest Name
MCPB File Upload Handler extracts a ZIP file and reads manifest.json from it. The name field in the manifest is directly concatenated into a file path line 107 without any sanitization or path traversal character validation. An attacker can craft a malicious MCPB file where manifest.name is set t...