GHSA-HV85-774V-26FG auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs

SSRF + disk-exfil in downloadmedia and authfetch tools — ymw0407/auth-fetch-mcp Severity The downloadmedia and authfetch MCP tools accept arbitrary URLs and reach them as the MCP server process, with downloadmedia additionally persisting the fetched response body to a user-controlled output...

OESA-2025-2906 ffmpeg security update

FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash. Security Fixes: A flaw was found in...

EUVD-2025-21168

Malicious code in bioql PyPI...

Malicious Package

Overview iuz-64bit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package appears to be part of a larger campaign targeting user credentials. It, and several other variations, masquerade as automation tools for soci...

CVE-2025-53641 Postiz allows header mutation in middleware facilitates resulting in SSRF

Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery SSRF condition, which can be exploited to initiate unauthorized...

Huawei HarmonyOS 授权问题漏洞

Huawei HarmonyOS is an operating system from Huawei China. It provides a full-scenario distributed operating system based on a microkernel. A security vulnerability exists in Huawei HarmonyOS, which stems from an application identity verification laxity vulnerability in the online authentication...

SUSE CVE-2011-3946

The ffh264decodesei function in libavcodec/h264sei.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Supplemental enhancement information SEI data, which triggers an infinite loop...

UBUNTU-CVE-2015-1208

Integer underflow in the movreaddefault function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file...

Local/remote mpg123 exploit

-----BEGIN PGP SIGNED MESSAGE----- / |/ | | | / | / | / | | | | | / / | | | || | | | || | /| | | | V / |/|//||/ |/|/||| || || "Putting the honey in honeynet since '98." Introduction: Several months ago, GOBBLES Security was recruited by the RIAA riaa.org to invent, create, and finally deploy the...