CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 10 hours ago•6 views

EUVD-2026-37881

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

8.6CVSS5.5AI score

CVE•added 10 hours ago•10 views

CVE-2026-11717

CVE-2026-11717 details an authentication bypass in googleapis/mcp-toolbox, specifically in the validateOpaqueToken path. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp with Active as a *bool. The ...

9.3CVSS5.4AI score

EUVD•added 10 hours ago•5 views

EUVD-2026-37879

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...

9.3CVSS5.4AI score

OSSF Malicious Packages•added 2026/06/11 1:54 p.m.•8 views

Malicious code in @tenforce/toolbox-fontmap (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc43bc0434418226ca77115c791ff0ea0031a0d314e73acfe0a62686528ceaad Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.5AI score

OSV•added 2026/06/11 1:54 p.m.•5 views

MAL-2026-5663 Malicious code in @tenforce/toolbox-fontmap (npm)

5.5AI score

Snyk•added 2026/06/11 1:54 p.m.•2 views

Malicious Package

Overview @tenforce/toolbox-fontmap is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.4AI score

RedhatCVE•added 2026/06/05 7:45 p.m.•7 views

CVE-2026-31229

The Adversarial Robustness Toolbox ART thru 1.20.1 contains an insecure deserialization vulnerability CWE-502 in its Kubeflow component's model loading functionality. When loading model weights from a file e.g., model.pt during robustness evaluation, the code uses torch.load without the...

9.8CVSS6.1AI score0.006EPSS

RedhatCVE•added 2026/06/05 7:45 p.m.•6 views

CVE-2026-31230

The Adversarial Robustness Toolbox ART thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component robustnessevaluationfgsmpytorch.py. The script uses the unsafe eval function to parse string values provided via the --clipvalues and --inputshape command-line...

9.8CVSS6.2AI score0.00497EPSS

RedhatCVE•added 2026/06/05 7:45 p.m.•7 views

CVE-2026-31228

The Adversarial Robustness Toolbox ART thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters...

9.8CVSS6.5AI score0.00544EPSS

RedhatCVE•added 2026/06/05 7:18 p.m.•7 views

CVE-2026-9739

Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...

9.4CVSS5.5AI score0.00179EPSS

EUVD•added 2026/05/28 12:30 a.m.•8 views

EUVD-2026-32672

NVD•added 2026/05/27 11:16 p.m.•15 views

Exploits0References3

CVE-2026-9739

9.4CVSS0.00179EPSS

Vulnrichment•added 2026/05/27 9:38 p.m.•8 views

CVE-2026-9739

Cvelist•added 2026/05/27 9:38 p.m.•32 views

CVE-2026-9739

9.4CVSS0.00179EPSS

ATTACKERKB•added 2026/05/27 9:38 p.m.•9 views

CVE-2026-9739

CVE•added 2026/05/27 9:38 p.m.•25 views

Exploits0References3

CVE-2026-9739

CVE-2026-9739 describes a DNS rebinding vulnerability due to a hardcoded Access-Control-Allow-Origin: * in the SSE initialization handler, despite earlier attempts to align with MCP security guidelines using allowed-origins and allowed-hosts. The issue specifically affects users connecting via To...

Positive Technologies•added 2026/05/27 12:0 a.m.•10 views

PT-2026-44123

Name of the Vulnerable Software and Affected Versions Toolbox affected versions not specified Description The software is susceptible to DNS rebinding attacks when using Server-Sent Events SSE under specification v2024-11-05. This occurs because the SSE initialization handler retains a hardcoded...

CNNVD•added 2026/05/27 12:0 a.m.•4 views

Exploits0References8

Google MCP Toolbox for Databases 安全漏洞

Google MCP Toolbox for Databases is an open-source Model Context Protocol MCP server developed by Google, Inc. There is a security vulnerability in Google MCP Toolbox for Databases. This vulnerability arises from the susceptibility to DNS redirection attacks when using SSE, and the hard-coded...