12 matches found
PT-2026-39262
Name of the Vulnerable Software and Affected Versions MCP Registry versions prior to 1.7.6 Description The GitHub OIDC flow for both client and server is bound to a global audience string instead of the specific registry instance being targeted. On the client side, the publisher always appends...
CVE-2026-39308
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39308
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
PT-2026-30767
Summary PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bund...
MAL-2025-114391 Malicious code in hadi-bakso96-miaww (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 18164aac7d616789411257197e1d9ec3336dddc3c306dbfb974a8c74464a005f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in ghjcng-devapptea (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3cb8be84449e48675e06963d09248604561854f4278d6b76b0da499217f0000 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-103549 Malicious code in hanafi-moci94-ruro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 997d7b98112050229465f4eb126eb354e2296329e89d18a4989f0a42c3948265 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in conceptual_snake_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 462a2897ec19553829060f3ca9490122e19f69dc36aae8c46809157ebc5549d3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-91889 Malicious code in vina-keraktelor57-miaww (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 301b92ad36399773a733d5ad8066c6bc3f77acb9583184368527cacaa91fbc93 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in bayu-semur18-breki (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7be6324072ade5c9d2031835fa39c433a39cfbca0e050860a32a09971206c299 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in specified-black-hookworm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 147a89f13c059a0f1f900ef4f18e322c2dd43ce1233b0b963be734f5980dd064 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in candra-takokak92-sukiwir (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a4b94aab6bd9c02998dac8e89926e7de48d9867e6e1cccbf0982e9a0325337c0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...