CVE-2026-39885

CVE-2026-39885 affects FrontMCP (prior to 2.3.0) via the mcp-from-openapi library, which dereferences $ref in OpenAPI specs without URL restrictions, enabling SSRF and local file reads when processing untrusted specs. Fixed in 2.3.0. CVSS v3.1 base score 7.5 (HIGH). Exploitation status not provid...

CVE-2026-33149

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWEDHOSTS = '' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.buildabsoluteu...

GHSA-F456-RF33-4626 Orval Mock Generation Code Injection via const

I am reporting a code injection vulnerability in Orval’s mock generation pipeline affecting @orval/mock in both the 7.x and 8.x series. This issue is related in impact to the previously reported enum x-enumDescriptions https://github.com/advisories/GHSA-h526-wf6g-67jv, but it affects a different...

Orval Mock Generation Code Injection via const

I am reporting a code injection vulnerability in Orval’s mock generation pipeline affecting @orval/mock in both the 7.x and 8.x series. This issue is related in impact to the previously reported enum x-enumDescriptions https://github.com/advisories/GHSA-h526-wf6g-67jv, but it affects a different...

@achinet/nestjs-async (>=0.0.1 <=0.2.0), @aligov/clark-core (>=3.0.0 <=3.0.1) +90 more potentially affected by unknown CVE via @asyncapi/openapi-schema-parser (=3.0.24)

@asyncapi/openapi-schema-parser NPM version =3.0.24 is affected by a known vulnerability. The following packages have a transitive dependency on @asyncapi/openapi-schema-parser and may be impacted: - @achinet/nestjs-async =0.0.1, =3.0.0, =0.2.44, =4.1.3, =0.7.1, =0.9.0, =1.10.0, =0.2.0, =0.1.0,...

EUVD-2025-198641

Malicious code in @asyncapi/openapi-schema-parser npm...

Malicious code in @asyncapi/openapi-schema-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7b4e9b39029c1f0084db9cd77fb419e5b003036f5b3db50d6b52097114f0c729 The package @asyncapi/openapi-schema-parser was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190639 Malicious code in @asyncapi/openapi-schema-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7b4e9b39029c1f0084db9cd77fb419e5b003036f5b3db50d6b52097114f0c729 The package @asyncapi/openapi-schema-parser was found to contain malicious code. Source: ghsa-malware...

CVE-2025-30153

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file e.g., a ZIP bomb, causing the server to consume all available system memory. The root...

Server-side Request Forgery (SSRF)

Overview fastagency is a The fastest way to bring multi-agent workflows to production Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the OAuth2PasswordBearer class's gettoken method, where the tokenurl is constructed from unvalidated OpenAPI schema...