CVE-2026-23523 Dive allows One-click Remote Code Execution through Deep Links for MCP Install

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the...

EUVD-2025-199752

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

PT-2025-36503

Name of the Vulnerable Software and Affected Versions: @akoskm/create-mcp-server-stdio versions prior to 0.0.13 Description: The @akoskm/create-mcp-server-stdio package, a MCP server starter kit utilizing the StdioServerTransport, contains a command injection issue in versions prior to 0.0.13. Th...

WordPress Menu Icons by ThemeIsle plugin <= 0.13.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG Upload vulnerability discovered by wesley wcraft in WordPress Plugin Menu Icons by ThemeIsle versions = 0.13.13...

Apache NiFi Trust Management Issues Vulnerability

Apache NiFi is a data processing and distribution system from the Apache USA Foundation. The system is primarily used for data routing, transformation, and system brokering logic. A trust management issue vulnerability exists in Apache NiFi MiNiFi C++ versions 0.13 through 0.14, which stems from...

mysql: Server: DDL unspecified vulnerability (CPU Jan 2019)

Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: DDL. Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...