CVE-2026-33060

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

CVE-2026-33060

The CVE-2026-33060 entry affects the CKAN MCP Server prior to version 0.4.85. The vulnerable components are the MCP server tools ckan_package_search, sparql_query, and ckan_datastore_search_sql, which accept a base_url parameter that can be used to make HTTP requests to arbitrary endpoints. The r...

CVE-2026-33060

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

CVE-2026-33060 CKAN MCP Server: SSRF via base_url allows access to internal networks

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

Server-side Request Forgery (SSRF)

Overview @aborruso/ckan-mcp-server is a MCP server for interacting with CKAN open data portals Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the baseurl parameter in the ckanpackagesearch, sparqlquery, and ckandatastoresearchsql tools. An attacker can...

SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks

Summary The @aborruso/ckan-mcp-server MCP server provides tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network...

SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks

The @aborruso/ckan-mcp-server MCP server provides tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network service...

Security Bulletin: IBM Jazz Reporting Service (Lifecycle Query Engine - LQE) is affected by SPARQL Exposure and Denial‑of‑Service Vulnerabilities.

Summary Multiple vulnerabilities were identified in IBM Jazz Reporting Service Lifecycle Query Engine - LQE SPARQL endpoints that may allow information disclosure and service degradation by authenticated, lower‑privileged users with network access CVE-2025-27550, CVE-2025-2134, CVE-2025-1823...

EUVD-2012-5750

Malware in sbrugna...

EUVD-2014-3100

Malware in sbrugna...

EUVD-2023-2087

Malicious code in bioql PyPI...

EUVD-2022-4146

Malicious code in bioql PyPI...

com.github.DilvanLab:GroovySparql (=0.9.1), com.github.albaker:GroovySparql (=0.6) +10 more potentially affected by CVE-2025-50151 via org.apache.jena:jena (>=2.7.4 <=5.0.0)

org.apache.jena:jena MAVEN version =2.7.4, =0.8.0-RC3, =0.8.0-RC3, =0.3.0, =0.8.0-RC3, =0.8.0-RC3, =0.8.0-RC3, =0.8.0-RC3, =0.9.0 Source cves: CVE-2025-50151 Source advisory: OSV:GHSA-XG9P-P463-3QJP...

org.apache.marmotta:marmotta-ldpath (=3.1.0-incubating), org.apache.marmotta:marmotta-sparql (=3.1.0-incubating) potentially affected by CVE-2025-6493 via org.apache.marmotta.webjars:codemirror (=3.1.0-incubating)

org.apache.marmotta.webjars:codemirror MAVEN version =3.1.0-incubating is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.marmotta.webjars:codemirror and may be impacted: - org.apache.marmotta:marmotta-ldpath =3.1.0-incubating -...

CVE-2023-32200

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0...

CVE-2012-5872

ARC aka ARC2 through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause...

Security Bulletin: Vulnerability in Apache Jena-arq library affects IBM Engineering Lifecycle Optimization - Publishing

Summary IBM Engineering Lifecycle Optimization - Publishing is vulnerable to a remote attack due to Apache Jena-arq Vulnerability Details CVEID:CVE-2023-22665 DESCRIPTION: Apache Jena could allow a remote attacker to execute arbitrary code on the system, caused by improper checking of user querie...

Remote Code Execution (RCE)

org.apache.jena:jena is vulnerable to Remote Code Execution RCE. Lack of proper checking for user permissions in script functions allows an attacker to upload and execute malicious code on the system via a SPARQL query...

Apache Jena Code Execution Vulnerability

Apache Jena is the United States Apache Apache Foundation of a Java Semantic Web framework. Used to build semantic Web and linked data applications. Apache Jena suffers from a code execution vulnerability that stems from insufficient restrictions on called script functions. An attacker can exploi...

Apache Jena Expression Language Injection vulnerability

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena from 3.7.0 through 4.8.0...