7 matches found
CVE-2026-5222
A flaw was found in rust-cargo. The Cargo tool, used for managing Rust projects, incorrectly handled the URLs of third-party registries when using the sparse index protocol. This vulnerability could allow an attacker, who is able to publish packages in a registry, to obtain sensitive credentials...
MCP Registry has open redirect via protocol-relative path in trailing-slash middleware
Summary The TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an...
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...
Container Registry Credential Leak
Trivy is vulnerable to Container Registry Credential Leak. The vulnerability is due to insufficient registry domain validation which results in container registry credential leakage. An attacker must convince a user intro scanning a malicious container, which then allows an attacker to push/pull...