Lucene search
+L

836 matches found

EUVD
EUVD
added 3 days ago7 views

EUVD-2026-44795

MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal...

7.1CVSS6.1AI score0.0025EPSS
Exploits0References7
NVD
NVD
added 4 days ago7 views

CVE-2026-59950

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to 1.28.1, the deprecated mcp.server.websocket.websocketserver transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restric...

8.1CVSS0.00151EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-59950 MCP Python SDK: WebSocket server transport does not support Host/Origin validation

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to 1.28.1, the deprecated mcp.server.websocket.websocketserver transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restric...

7.6CVSS0.00151EPSS
Exploits0References4
OSV
OSV
added 4 days ago3 views

CVE-2026-52870 MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enabletasks for tasks/list, tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recordin...

7.6CVSS6.1AI score0.00223EPSS
Exploits0References6
OSV
OSV
added 4 days ago4 views

CVE-2026-52869 MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to 1.27.2, the SSE and stateful Streamable HTTP transports mcp.server.sse.SseServerTransport and mcp.server.streamablehttpmanager.StreamableHTTPSessionManager route requests to existing...

7.1CVSS6.1AI score0.0025EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 4 days ago10 views

PT-2026-60301

Name of the Vulnerable Software and Affected Versions mcp versions prior to 1.28.1 Description The MCP Python SDK, a Python implementation of the Model Context Protocol, contains an issue in the deprecated mcp.server.websocket.websocket server transport. This component accepts WebSocket handshake...

7.6CVSS6.1AI score0.00151EPSS
Exploits0References9
OSV
OSV
added 5 days ago2 views

DEBIAN-CVE-2026-59885

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER, CER, and DER decoders process OBJECT IDENTIFIER and RELATIVE-OID values in quadratic time relative to the number of arcs, so a small crafted payload containing an OID with many arcs consumes excessive CPU per decode call and c...

7.5CVSS6.1AI score0.00339EPSS
Exploits0References1
OSV
OSV
added 2026/07/09 12:0 a.m.6 views

OPENSUSE-SU-2026:11238-1 python313-pypdf-6.14.2-1.1 on GA media

These are all security issues fixed in the python313-pypdf-6.14.2-1.1 package on the GA media of openSUSE Tumbleweed...

8.7CVSS6.1AI score0.00352EPSS
Exploits0References3
OSV
OSV
added 2026/07/08 9:16 p.m.3 views

UBUNTU-CVE-2026-55195

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expan...

8.7CVSS6.1AI score0.00321EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/08 2:20 p.m.7 views

urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers

A flaw was found in urllib3, an HTTP client library for Python. When using the low-level API via ProxyManager.connectionfromurl.urlopen with assertsamehost=False, cross-origin redirects can still forward sensitive headers. This could allow a remote attacker to gain unauthorized access to sensitiv...

8.2CVSS7.1AI score0.00527EPSS
Exploits0References5
OSV
OSV
added 2026/07/07 4:3 p.m.7 views

PYSEC-2026-1208 Azure Core is vulnerable to deserialization of untrusted data

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network...

7.5CVSS6.1AI score0.00776EPSS
Exploits0References6
OSV
OSV
added 2026/07/06 6:26 a.m.5 views

OESA-2026-2814 python-urllib3 security update

HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more. Security Fixes: urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API preloadcontent=False when using Brotli support. The issue arises due to three independent code...

7.5CVSS6.3AI score0.00304EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/07/06 5:8 a.m.8 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/06 3:54 a.m.6 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References5
OSV
OSV
added 2026/07/04 12:0 a.m.3 views

OPENSUSE-SU-2026:11183-1 python313-joserfc-1.7.2-2.1 on GA media

These are all security issues fixed in the python313-joserfc-1.7.2-2.1 package on the GA media of openSUSE Tumbleweed...

8.7CVSS5.9AI score0.00194EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/07/01 9:0 a.m.1 views

urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers

A flaw was found in urllib3, an HTTP client library for Python. When using the low-level API via ProxyManager.connectionfromurl.urlopen with assertsamehost=False, cross-origin redirects can still forward sensitive headers. This could allow a remote attacker to gain unauthorized access to sensitiv...

8.2CVSS6.3AI score0.00527EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/30 9:36 p.m.26 views

CVE-2026-57585 MessagePack: Out-of-bounds read/crash on Unpacker reuse after caught error

MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. This...

7.5CVSS0.00278EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 11:10 a.m.8 views

BIT-LIBPYTHON-2026-11972 tarfile opened in streaming mode mishandles EOF

When using the "tarfile" module with a file opened in "streaming mode" mode="r|" the tarfile module did not properly handle EOF, making archive parsing take exponentially longer...

8.2CVSS5.8AI score0.00433EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.14 views

PT-2026-53225

Name of the Vulnerable Software and Affected Versions mcp Python SDK versions prior to 1.27.2 Description Principal confusion exists in the HTTP transports of the mcp Python SDK. Specifically, the SSE and Streamable HTTP stateful mode routed sessions fail to verify if the principal matches the...

7.1CVSS5.8AI score0.0025EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.11 views

PT-2026-53226

Name of the Vulnerable Software and Affected Versions MCP Python SDK versions prior to 1.27.2 Description A missing authorization issue exists in the official Model Context Protocol Python SDK. On multi-client servers, the default request handlers registered by the experimental enable tasks helpe...

7.6CVSS6.1AI score0.00223EPSS
Exploits0References11
Rows per page
Query Builder