Astra Linux - уязвимость в golang-golang-x-net, golang-1.15

In Go, before versions 1.15.12 and 1.16.x, and before version 1.16.4, net/http allowed remote attackers to cause a denial of service panic through a large header sent to ReadRequest or ReadResponse. This issue can affect the Server, Transport, and Client components in certain configurations...

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes. An attacker can access sensitive session information by leveraging a malicious...

PT-2026-29161

Summary Hardcoded Wildcard CORS Access-Control-Allow-Origin: - https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.javaL289 -...

CVE-2026-25536

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

CVE-2025-66414

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol MCP TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without...

CVE-2025-66414

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol MCP TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without...

EUVD-2025-123944

Malicious code in passport-barnard-server-transport npm...

EUVD-2006-3785

Malware in sbrugna...

DNS Rebinding

Overview Affected versions of this package are vulnerable to DNS Rebinding due to insufficient validation of the Host and Origin headers. An attacker can gain unauthorized access to sensitive data by luring a victim to a malicious website, enabling the attacker to read information from the report...

Command Injection

Overview @akoskm/create-mcp-server-stdio is a MCP Server Starter kit using the StdioServerTransport Affected versions of this package are vulnerable to Command Injection via the which-app-on-port tool, which executes exec on user input. An attacker can execute arbitrary commands on the host syste...

Redpanda 安全漏洞

Redpanda is a streaming data platform for developers. It is compatible with the Kafka API. A security vulnerability exists in Redpanda versions prior to 23.1.2 that stems from incorrectly handling the redpanda.rpcservertls field, resulting in a data type mismatch...

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server Transport and Client can each be affected in some configurations.

...