176 matches found
CVE-2026-53053
In the Linux kernel’s IOMMU AMD path, CVE-2026-53053 affects the clone_alias() flow used by pci_for_each_dma_alias(). The issue arises because clone_alias() previously assumed its first argument (pdev) was always the original device pointer. The code path may pass either the original or an alias,...
EUVD-2026-38921
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix clonealias to use the original device's devid Currently clonealias assumes first argument pdev is always the original device pointer. This function is called by pciforeachdmaalias which based on topology decides to...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: Block: Zero non-PI portion of the auto-generated integrity buffer. The auto-generated integrity buffer for write operations needs to be fully initialized before being passed to the underlying block device. Otherwise, the...
GHSA-WCPR-6G7X-P44R googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
GHSA-8FCC-W5HV-4GXV googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...
CVE-2026-11718
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
CVE-2026-11717
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...
CVE-2026-11718
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
CVE-2026-11718
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
EUVD-2026-37880
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
CVE-2026-11718
The CVE-2026-11718 entry concerns an authentication bypass in googleapis/mcp-toolbox: during opaque-token validation via an OAuth 2.0 introspection endpoint, the code decodes the response and checks issuer with the condition a.issuer != "" && iss != "". If the introspection response omits iss, is...
EUVD-2026-37879
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...
PT-2026-50659
Name of the Vulnerable Software and Affected Versions googleapis/mcp-toolbox affected versions not specified Description An authentication bypass exists in the generic opaque token validation path validateOpaqueToken. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint...
PT-2026-50660
Name of the Vulnerable Software and Affected Versions googleapis/mcp-toolbox affected versions not specified Description An authentication bypass exists in the generic opaque token validation path validateOpaqueToken. When validating an opaque token via an OAuth 2.0 introspection endpoint, the...
Malicious code in weavedb-exm-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec package.json declares "preinstall": "./vendor/setup", causing every npm install weavedb-exm-sdk to execute vendor/setup — a 976,568-byte Linux x86 EL...
MAL-2026-4718 Malicious code in weavedb-exm-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec package.json declares "preinstall": "./vendor/setup", causing every npm install weavedb-exm-sdk to execute vendor/setup — a 976,568-byte Linux x86 EL...
MAL-2026-4482 Malicious code in arnext (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f package.json declares "preinstall": "./vendor/setup", which runs a 976,568-byte Linux ELF binary on every npm install. The package's stated purpose i...
Malicious code in atomic-notes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81 package.json declares preinstall:./.github/scripts/precheck, which executes a 976 KB stripped, UPX-packed Linux x8664 ELF shipped at...
MAL-2026-4486 Malicious code in atomic-notes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81 package.json declares preinstall:./.github/scripts/precheck, which executes a 976 KB stripped, UPX-packed Linux x8664 ELF shipped at...
Malicious code in cwao-units (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976,568-byte Linux x86-64 ELF binary shipped in the tarball...