MCP URL Downloader 代码问题漏洞

MCP URL Downloader is an AI assistant tool developed by Dmitry Gilemkhanov, which allows downloading files from URLs to a local device. Versions of MCP URL Downloader 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling ...

Malicious code in @apple-pay-trust/validate-merchant (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04e899c9f267696289778cbf0c2c4f8da289e47bb3bce95ffa4fa4e3fe290722 The package @apple-pay-trust/validate-merchant was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3055 Malicious code in @apple-pay-trust/validate-merchant (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04e899c9f267696289778cbf0c2c4f8da289e47bb3bce95ffa4fa4e3fe290722 The package @apple-pay-trust/validate-merchant was found to contain malicious code. Source: ghsa-malware...

JLSEC-2026-179

When calling bsonutf8validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0...

af_key: validate families in pfkey_send_migrate()

...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013573)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013573 advisory. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the error length of VALIDATENEGOTIATEINFO message Commit d5c7076b772a smb3: add smb3.1....

PT-2026-34420

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the pfkey send migrate function where it fails to validate old and new families. This can lead to the family argument in set ipsecrequest being truncated, potentially...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011204)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011204 advisory. In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40evalidatequeuemap Ensure idx is within range of active/initialized...

CVE-2026-6628

CVE-2026-6628 affects phili67 Ecclesia CRM up to version 8.0.0. The vulnerability is in the Query Viewer Component, specifically the ValidateInput function under /v2/query/view/, where manipulation of the custom argument leads to SQL injection. The issue can be triggered remotely and the exploit ...

CVE-2026-6628 phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection

A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been publish...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the validateScriptFileForShellBleed function. An attacker can cause the preflight analysis to inspect a different file than the one tha...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the bsonvalidate function. An attacker can cause malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly by submitting specially crafted BSON data to...

MongoDB C Driver 安全漏洞

The MongoDB C Driver is an open-source client driver developed by MongoDB, designed to connect to and operate MongoDB databases in C-language programs. Versions of the MongoDB C Driver prior to 1.30.5, as well as 2.0.0 and 2.0.1, contain security vulnerabilities. These vulnerabilities stem from t...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

GHSA-R2X7-427F-RQ69 Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation

Summary The validateWebhookURL function in webhooksettingservice.go attempts to block webhooks targeting private/internal IP addresses, but only checks literal IP strings via net.ParseIP. Hostnames that DNS-resolve to private IPs e.g., 169.254.169.254.nip.io, 10.0.0.1.nip.io bypass all checks,...

EUVD-2026-21174

PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in listfiles Bypasses Workspace Boundary...

UBUNTU-CVE-2026-3446

When calling base64.b64decode or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use...

CVE-2026-3446

When calling base64.b64decode or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use...

CVE-2026-3446

CVE-2026-3446 affects Python’s base64 decoding (base64.b64decode and related functions). The root cause is that the decoder stops after the first padded quad, potentially leaving additional data unprocessed. This can cause data to be accepted and then processed differently by other implementation...

CVE-2026-39361

OpenObserve (cloud-native observability platform)