269 matches found
CVE-2026-53522
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal...
PT-2026-49003
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal...
MAL-2026-5627 Malicious code in rate-limits-flexible (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f51c182413a9d071e2e2109f7477ff0fb1b05fae4e5e98a46bb53e7d8b2d693b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in rate-limits-flexible (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f51c182413a9d071e2e2109f7477ff0fb1b05fae4e5e98a46bb53e7d8b2d693b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Yamcs security vulnerabilities
Yamcs is an open-source software framework developed by Yamcs. It is used for commanding and controlling spacecraft, satellites, payloads, ground stations, and ground equipment. YAMCS has a security vulnerability that stems from the lack of rate limits...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the OCI validator process when upstream rate limits are encountered. An attacker can bypass intended ownership restrictions by exploiting the lack of proper checks during rate-limited conditions. Remediation...
GO-2026-5008 MCP Registry: OCI validator skips ownership check on upstream rate limits in github.com/modelcontextprotocol/registry
MCP Registry: OCI validator skips ownership check on upstream rate limits in github.com/modelcontextprotocol/registry...
PT-2026-42384
MCP Registry: OCI validator skips ownership check on upstream rate limits in github.com/modelcontextprotocol/registry...
MCP Registry: OCI validator skips ownership check on upstream rate limits
OCI ownership validation fails open on upstream rate limits, allowing attacker to claim arbitrary public OCI images under their own namespace Severity: Low re-scored post-triage; see Maintainer triage note below Affected: modelcontextprotocol/registry main branch at commit fe0cb3b current HEAD as...
CVE-2026-43491
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current code does no bound checking on the number of servers added per node. A malicious client can flood NEWSERVER messages and exhaust memory. Fix this issue by...
Debian dla-4589 : libnginx-mod-http-auth-pam - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4589 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4589-1 [email protected]...
[SECURITY] [DSA 6278-1] nginx security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6278-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 16, 2026 https://www.debian.org/security/faq -...
BIT-NGINX-GATEWAY-2026-40460 NGINX ngx_quic_module vulnerability
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...
CVE-2026-45781 MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./ namespace to OCI images the...
CVE-2026-45781 MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./ namespace to OCI images the...
CVE-2026-45781
The CVE-2026-45781 issue affects the MCP Registry: before 1.7.9, OCI ownership validation can skip the label-match check when upstream OCI registry responses are HTTP 429. This allows an authenticated publisher to bind their io.github./* namespace to OCI images they do not control because the lab...
CVE-2026-46356 Fleet: IP spoofing allows bypassing API rate limiting
Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...