3 matches found
GHSA-R78R-RWRF-RJWP Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Advisory / Disclosure Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives Target: Jovancoding/Network-AI npm network-ai, latest v5.7.1 Status: the advisory "Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret" named three flaws. The...
PT-2026-50980
Name of the Vulnerable Software and Affected Versions Tilt versions 0.20.8 through 0.37.3 Description The HUD HTTP server lacks authentication for state-changing and sensitive-read endpoints. When the HUD is bound to a non-loopback address, a network attacker can trigger pre-defined Tiltfile...
PT-2026-50978
Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...