Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/

Summary When ENABLEYAMLCONFIGEDITING=true, every haconfigsetyaml call backs up the pre-edit file to /www/yamlbackups/, which Home Assistant serves at /local/ with no authentication. Anyone who can reach the HA web interface can download the most recent pre-edit configuration.yaml or other YAML fi...

GHSA-7XGW-6QF3-7W59 dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

CVE-2025-59870

HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

CVE-2025-59870

HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

CVE-2025-59870

HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

PT-2026-3243

Name of the Vulnerable Software and Affected Versions HCL MyXalytics version 6.7 Description The web application does not rotate the JWT signing secret, resulting in improper management of a static secret. This introduces a security risk. Recommendations Rotate the JWT signing secret in the web...