12781 matches found
CVE-2026-52869
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to 1.27.2, the SSE and stateful Streamable HTTP transports mcp.server.sse.SseServerTransport and mcp.server.streamablehttpmanager.StreamableHTTPSessionManager route requests to existing...
CVE-2026-52870
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enabletasks for tasks/list, tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recordin...
CVE-2026-59950
The MCP Python SDK (package name mcp on PyPI) contains a vulnerability in the deprecated mcp.server.websocket.websocket_server transport prior to version 1.28.1, which accepted WebSocket handshakes without Host or Origin header validation. This prevents restrictions on originating connections to ...
CVE-2026-52870
The MCP Python SDK (package mcp on PyPI) has a vulnerability in versions 1.23.0–1.27.1 where default handlers installed by server.experimental.enable_tasks() for tasks/list, tasks/get, tasks/result, and tasks/cancel only operate on task identifiers and do not record the session that created each ...
CVE-2026-52869
The MCP Python SDK (mcp on PyPI) has a vulnerability affecting versions prior to 1.27.2 in its SSE and stateful Streamable HTTP transports. These transports (mcp.server.sse.SseServerTransport and mcp.server.streamable_http_manager.StreamableHTTPSessionManager) route requests to an existing sessio...
TOTOLINK/Realtek Routers - Information Disclosure
A certain router administration interface using Realtek APMIB e.g., on TOTOLINK models allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0...
Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation
Zoom WordPress plugin 4.6.6 contains a broken authentication caused by disabled nonce verification in an AJAX handler, letting unauthenticated attackers generate valid Zoom SDK signatures and retrieve the Zoom SDK key. id: CVE-2026-1368 info: name: Video Conferencing with Zoom API 4.6.6 -...
CVE-2026-8919
Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a request containing a UNC path to the application’s local service endpoint. This can result in...
CVE-2026-8919
Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a request containing a UNC path to the application’s local service endpoint. This can result in...
EUVD-2025-210471
A use of uninitialized value vulnerability exists in the Matter SDK connectedhomeip before 1.4.0, where the GetDestinationGroupId.Value method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID...
EUVD-2025-210468
A reachable assertion vulnerability exists in the Matter SDK connectedhomeip 1.3 thru 1.4, specifically within the Level Control cluster's server tick logic emberAfLevelControlClusterServerTickCallback. When a MoveToLevel command is executed and followed by a conflicting write to the OperationMod...
CVE-2025-56362
A reachable assertion vulnerability exists in the Matter SDK connectedhomeip before 1.4.2, specifically within the Level Control cluster's periodic server tick logic. When a MoveToLevel command is sent and immediately followed by a write of OperationMode=2 in the Pump Configuration and Control...
CVE-2026-57898
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...
CVE-2026-57898
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...
Security Update for Microsoft .NET Core SDK (July 2026)
The Microsoft .NET Core SDK installations on the remote host are missing a security update. It is, therefore, affected by a vulnerability as referenced in the vendor advisory. - Improper link resolution before file access 'link following' in .NET allows an authorized attacker to perform tampering...
PT-2026-58848
Name of the Vulnerable Software and Affected Versions Matter SDK connectedhomeip versions prior to 1.4.0 Description A use of uninitialized value occurs when the GetDestinationGroupId.Value method is called without verifying if a value exists. This happens when an InvokeCommand is sent without...
PT-2026-58849
Name of the Vulnerable Software and Affected Versions Matter SDK connectedhomeip versions prior to 1.4.0 Description A reachable assertion issue exists in the interaction model command processing logic. When an InvokeCommandRequest is sent to a nonexistent endpoint and cluster, the...
CVE-2025-56364
A use of uninitialized value vulnerability exists in the Matter SDK connectedhomeip before 1.4.0, where the GetDestinationGroupId.Value method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID...
CVE-2025-56362
A reachable assertion vulnerability exists in the Matter SDK connectedhomeip before 1.4.2, specifically within the Level Control cluster's periodic server tick logic. When a MoveToLevel command is sent and immediately followed by a write of OperationMode=2 in the Pump Configuration and Control...
Malicious code in jupiter-sdk (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8e0901ca45da110106c60f288b0166fc51c348a44569d7e7ff22af3d19deafe On import jupitersdk, the package's top-level init.py fetches a payload over HTTPS from a public IPFS gateway...