CVE-2026-9467

A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The...

CVE-2026-9467 debugmcp mcp-debugger server.ts handleGetSourceContext path traversal

A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The...

PYSEC-2026-145

vLLM is an inference and serving engine for large language models LLMs. From to before 0.20.0, the extracthiddenstates speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash ...

CVE-2026-44223 vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters

vLLM is an inference and serving engine for large language models LLMs. From to before 0.20.0, the extracthiddenstates speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash ...

CVE-2026-44222

CVE-2026-44222 (vLLM) affects vLLM versions 0.6.1 through 0.19.x where a token-injection vulnerability in multimodal processing allows unauthenticated text prompts containing special tokens to be interpreted as control. When image/video placeholder sequences are provided without corresponding dat...

CVE-2026-44222 vLLM: Remote DoS via Special-Token Placeholders

vLLM is an inference and serving engine for large language models LLMs. From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder...

EUVD-2025-33793

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously...

CVE-2025-58766 Dyad Vulnerable to Remote Code Execution via Top-level Navigation in Preview Window

Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to execute arbitrary code on users' systems. The vulnerability affects the application's preview window functionality and can bypass Docker...

CVE-2025-58766

Dyad CVE-2025-58766 affects Dyad

CVE-2025-58766 Dyad Vulnerable to Remote Code Execution via Top-level Navigation in Preview Window

Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to execute arbitrary code on users' systems. The vulnerability affects the application's preview window functionality and can bypass Docker...

tough cyclic delegation graphs are not detected

Summary In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated...

GHSA-J8X2-777P-23FC tough cyclic delegation graphs are not detected

Summary In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated...

tough timestamp metadata is cached when it fails snapshot rollback check

Summary TUF repositories use the timestamp role to protect against rollback events by enabling an automated process to periodically sign the role's metadata. While tough will ensure that the version of snapshot metadata in new timestamp metadata files was always greater than or equal to the...

CVE-2025-2885

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure...

CVE-2025-2887

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched ...

PT-2024-35483 · Unknown · Bitcoin Core

Name of the Vulnerable Software and Affected Versions: Bitcoin Core versions prior to 0.20.0 Description: The issue allows remote attackers to cause a denial of service, specifically through memory consumption, by sending a crafted INV message. Recommendations: For versions prior to 0.20.0, updat...

OESA-2024-1446 LibRaw security update

LibRaw is a library for reading RAW files from digital photo cameras CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported.It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzer...

CouchAuth Security Breach

CouchAuth is an authentication API. A security vulnerability exists in CouchAuth version 0.20.0 and prior versions, which stems from a password reset link that can be sent to a user by sending a specially crafted host header in a forgotten password request, which, if clicked, could allow an...

Libraw 缓冲区错误漏洞

Libraw is a C++ library from Libraw for processing RAW CRW/CR2, NEF, RAF, DNG, andothers format images, supporting various operating systems. A security vulnerability exists in Libraw version v0.20.0, which originated from a vulnerability that allows an attacker to elevate privileges via...

SUSE CVE-2020-14198

Bitcoin Core 0.20.0 allows remote denial of service...