PT-2026-30564

A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config path results in os command injection. Attacking locally is a requirement...

Magento 2 Development MCP Server 操作系统命令注入漏洞

Magento 2 Development MCP Server is an open-source AI assistant integrated tool developed by elgentos commerce & configurators for Magento 2. Versions of Magento 2 Development MCP Server prior to 1.0.2 contained a vulnerability related to operating system command injection. This vulnerability...

CVE-2026-0737 Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the sulightbox shortcode. This makes it possib...

EUVD-2026-18202

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been...

CVE-2026-5023

A vulnerability has been found in DeDeveloper23 codebase-mcp up to 3ec749d237dd8eabbeef48657cf917275792fde6. This vulnerability affects the function getCodebase/getRemoteCodebase/saveCodebase of the file src/tools/codebase.ts of the component RepoMix Command Handler. Such manipulation leads to os...

CVE-2026-33525

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the handling of WebSocket messages for document structure updates in the Seadoc editor. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious payloads...

EUVD-2026-14425

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

EUVD-2026-13768

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...

CVE-2026-4199 bazinga012 mcp_code_executor index.ts installDependencies command injection

A vulnerability was identified in bazinga012 mcpcodeexecutor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available...

PT-2026-24934

A vulnerability was determined in rxi fe up to ed4cda96bd582cbb08520964ba627efb40f3dd91. The impacted element is the function read of the file src/fe.c. This manipulation with the input 1 causes out-of-bounds read. The attack requires local access. The exploit has been publicly disclosed and may ...

fe 缓冲区错误漏洞

fe is a lightweight, embeddable ANSI C scripting language developed by rxi. fe has a buffer error vulnerability, which stems from an out-of-bounds read in the read function located in the src/fe.c file...

CVE-2026-26801

Server-Side Request Forgery SSRF vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy method allowing server operato...

lily 缓冲区错误漏洞

Lily is a programming language developed by FascinatedBox’s individual developers. Versions of Lily prior to 2.3 contained a buffer error vulnerability, which stemmed from an out-of-bounds read in the patchlineend function within the component’s Error Reporting module, located at...

CVE-2026-3285

A vulnerability was determined in berry-lang berry up to 1.1.0. The affected element is the function scanstring of the file src/belexer.c. This manipulation causes out-of-bounds read. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Patch name:...

CVE-2026-1557

The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information...

WordPress plugin WP Responsive Images 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-22091

Name of the Vulnerable Software and Affected Versions WP Responsive Images plugin for WordPress versions prior to 1.1 Description The WP Responsive Images plugin for WordPress is susceptible to a Path Traversal issue in versions up to and including 1.0. This allows unauthenticated attackers to re...

PT-2026-21378

Name of the Vulnerable Software and Affected Versions janet-lang versions prior to 1.41.0 Description A flaw exists in the janet-lang software, specifically within the janetc varset function located in the src/core/specials.c file, part of the handleattr Handler component. This issue can lead to ...

CVE-2019-25386

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains multiple reflected cross-site scripting vulnerabilities in the dmzholes.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the SRCIP, DESTIP,...