152 matches found
CVE-2025-66336
Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymo...
CVE-2025-66336 Apache Doris MCP Server: SQL injection leading the authentication bypass
Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymo...
PT-2026-51281
Name of the Vulnerable Software and Affected Versions Apache Doris MCP Server versions prior to 0.6.1 Description A SQL injection exists in a metadata query path where a user-controlled database name is directly interpolated into a SQL query. The query is executed without the caller's authorizati...
CVE-2025-66335
Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version...
Fedora 44 : python-uv-build / rust-astral-tokio-tar / uv (2026-7aacc8ea7d)
The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-7aacc8ea7d advisory. Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA- xx64-wwv2-hcqq and GHSA-...
aurora-cycler-manager (=0.11.4), fusion-tools (>=3.6.19 <=3.6.90) +7 more potentially affected by CVE-2026-38361 via dash-uploader (>=0.6.0 <=0.6.1)
dash-uploader PYPI version =0.6.0, =3.6.19, =0.0.11, =0.0.30, =0.0.50.0, =0.2.1, =0.2.0, =0.4.1 Source cves: CVE-2026-38361 Source advisory: OSV:PYSEC-2026-37...
GHSA-XX64-WWV2-HCQQ astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks
Impact In versions 0.6.0 and earlier of astral-tokio-tar, the unpackin API could inadvertently modify the permissions of external i.e. non-archive directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its...
EUVD-2025-209532
Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version...
CVE-2025-66335 Apache Doris MCP Server: MCP SQL inject
Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version...
Apache Doris MCP Server 安全漏洞
Apache Doris MCP Server is a context-based protocol backend service provided by the Apache Foundation. Versions of Apache Doris MCP Server prior to 0.6.1 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of query contexts, which could lead to the execution o...
TorchGeo Remote Code Execution Vulnerability
Impact TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.getweight or torchgeo.trainers as an external API could be affected. Patches The eval statement wa...
CVE-2024-43035
Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE: serveFiles exists in 0.5.5 but not in the next release, 0.6.1...
SUSE CVE-2025-15095
A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used...
TorchGeo Remote Code Execution Vulnerability
Impact TorchGeo 0.4–0.6.0 used an ""eval"" https://docs.python.org/3/library/functions.htmleval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose ""torchgeo.models.getweight""...
[SECURITY] Fedora 41 Update: rust-tikv-jemalloc-sys-0.6.1-1.fc41
Rust FFI bindings to jemalloc...
EUVD-2004-1274
Malware in sbrugna...
EUVD-2018-1927
Malware in sbrugna...
EUVD-2021-2016
Malware in sbrugna...
EUVD-2023-44641
Malicious code in bioql PyPI...
EUVD-2025-24029
Malicious code in bioql PyPI...