GHSA-6JX8-RCJX-VMWF GitHub Kanban MCP Server vulnerable to Command Injection

The MCP Server at https://github.com/Sunwood-ai-labs/github-kanban-mcp-server/ is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the tool addcomment which...

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Summary Security vulnerabilities have been addressed in IBM Cognos Analytics 11.2.3. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP5 where applicable. Multiple Cross-Site Request Forgery vulnerabilities have been addressed CVE-2020-4301, CVE-2021-20468...

Security Bulletin: Due to use of Nodejs Express.js, multiple vulnerabilities affect IBM Cloud Pak System[CVE-2024-43796, CVE-2024-43799, CVE-2024-43800]

Summary Multiple vulnerabilities in Send cross-site scripting XSS within the SendStream.redirect, serve-static built-in and response.redirect found in Node.js Express.js which is used by IBM Cloud Pak System. Vulnerabilities were addressed by IBM Cloud Pak System. Vulnerability Details...

PT-2025-29688 · Node.Js · Node.Js

Name of the Vulnerable Software and Affected Versions: Node.js versions 20.x through 20.19.3 Node.js versions 22.x through 22.17.0 Node.js versions 24.x through 24.4.0 Description: The path.normalize function in Node.js does not properly restrict Windows device names such as CON, PRN, and AUX...

Tuesday, July 15, 2025 Security Releases

Tuesday, July 15, 2025 Security Releases Security releases available Updates are now available for the 24.x, 22.x, 20.x Node.js release lines for the following issues. Windows Device Names CON, PRN, AUX Bypass Path Traversal Protection in path.normalize CVE-2025-27210 - high An incomplete fix has...

Node.js 20.x < 20.19.4 / 22.x < 22.17.1 / 24.x < 24.4.1 Multiple Vulnerabilities (Tuesday, July 15, 2025 Security Releases).

The version of Node.js installed on the remote host is prior to 20.19.4, 22.17.1, 24.4.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, July 15, 2025 Security Releases advisory. - The V8 release used in Node.js v24.0.0 has changed how string hashes are...

PT-2025-29694 · Node.Js · Node.Js

Name of the Vulnerable Software and Affected Versions: Node.js versions 24.0.0 and later Description: The V8 release in Node.js reintroduced a HashDoS vulnerability due to changes in string hash computation using rapidhash. An attacker controlling the strings to be hashed can generate numerous ha...

CVE-2025-53818

GitHub Kanban MCP Server is a Model Context Protocol MCP server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Serv...

CVE-2025-53818 github-kanban-mcp-server Command Injection vulnerability

GitHub Kanban MCP Server is a Model Context Protocol MCP server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Serv...

CVE-2025-53818

CVE-2025-53818 affects the GitHub Kanban MCP Server. Version 0.3.0 is vulnerable to a command-injection flaw in the MCP Server’s add_comment tool, which uses Node.js child_process.exec and concatenates user-supplied input with the gh command. This unsafe usage can lead to remote command execution...

CVE-2025-53818 github-kanban-mcp-server Command Injection vulnerability

GitHub Kanban MCP Server is a Model Context Protocol MCP server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Serv...

PT-2025-29513 · Unknown · Github-Kanban-Mcp-Server

Name of the Vulnerable Software and Affected Versions: GitHub Kanban MCP Server versions 0.3.0 through 0.4.0 Description: GitHub Kanban MCP Server is a Model Context Protocol MCP server designed for managing GitHub issues in Kanban board format and streamlining LLM task management. The server’s a...

CVE-2025-53542

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542

CVE-2025-53542 affects Headlamp, an extensible Kubernetes web UI. The vulnerability is a command injection in the macOS packaging workflow (codeSign.js) caused by using Node.js execSync() with unsanitized environment-derived input (teamID, entitlementsPath, config.app) passed to the shell without...

CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53372

node-code-sandbox-mcp is a Node.js–based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use o...

Denial Of Service (DoS)

@builder.io/qwik-city is vulnerable to Denial Of Service DoS. The vulnerability is due to the server not handling errors thrown when an invalid QRL function qfunc is sent, which allows an attacker to crash the Node.js server by triggering an unhandled exception...