7035 matches found
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete SummaryAll HTTP routes under /api/documents/ in mcp-memory-service are served without any authentication dependency, even when the server is configured with an API key MCPAPIKEY or OAuth. An...
Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`
Untrusted Project Bootstrap Code Execution via CLAUDEPROJECTDIR SummaryThe Cortex MCP server neuro-cortex-memory treats the CLAUDEPROJECTDIR environment variable — automatically set by Claude Code to the currently open project directory — as a trusted Cortex developer checkout. When the...
Open Babel has out-of-bounds write in ORCA nAtoms parser (second variant)
SummaryA memory-safety vulnerability in Open Babel's ORCA parser allowed anout-of-bounds write when reading a crafted input file. DetailsA second variant of the nAtoms out-of-bounds write in the ORCAreader: a different malformed-input path produced the same class ofwrite past the end of the...
Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles
SummaryA memory-safety vulnerability in Open Babel's SMILES parser caused aheap buffer overflow when reading a crafted input string. DetailsThe flaw was in OBSmilesParser::ParseSmiles. A malformed SMILESinput caused the parser to write past the end of a heap-allocatedbuffer. ImpactOpen Babel is a...
Open Babel has out-of-bounds write in Gaussian coords_type orientation parser
SummaryA memory-safety vulnerability in Open Babel's Gaussian output parserallowed an out-of-bounds write when reading a crafted input file. DetailsThe flaw was in the coordstype orientation parser inside theGaussian output reader. A malformed orientation block caused theparser to write past the...
Open Babel has NULL pointer dereference in CACAO CacaoFormat::SetHilderbrandt
SummaryA memory-safety vulnerability in Open Babel's CACAO parser caused aNULL pointer dereference when reading a crafted input file. DetailsThe flaw was in CacaoFormat::SetHilderbrandt. A malformed inputcaused the parser to dereference a NULL pointer while applying theHilderbrandt transformation...
Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString
Summary A memory-safety vulnerability in Open Babel's CIF file format parser allowed an out-of-bounds read when reading a crafted input file. Details The flaw was in OpenBabel::transform3d::DescribeAsString. A malformed symmetry-operation string caused the parser to read past the end of its...
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
SummaryThe HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call storememory and deletememory through MCP even though the corresponding REST endpoints requi...
Open Babel has out-of-bounds write (overlapping memcpy) in zipstream basic_unzip_streambuf::underflow
SummaryA memory-safety vulnerability in Open Babel's bundled zipstreamdecompression code caused an out-of-bounds write via overlappingmemcpy when reading a crafted gzip-compressed chemistry file. DetailsThe flaw was in basicunzipstreambuf::underflow. The decompressionbuffer refill path invoked...
Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge
SummaryA memory-safety vulnerability in Open Babel's MOL2 file format parsercaused a NULL pointer dereference when reading a crafted input file. DetailsThe flaw was in OBAtom::SetFormalCharge as called from the MOL2parser. A malformed atom record caused the parser to call the methodon a NULL atom...
Open Babel has NULL pointer dereference in ChemKinFormat::ReadReactionQualifierLines
SummaryA memory-safety vulnerability in Open Babel's ChemKin parser causeda NULL pointer dereference when reading a crafted input file. DetailsThe flaw was in ChemKinFormat::ReadReactionQualifierLines. Amalformed reaction qualifier record caused the parser to dereferencea NULL pointer. ImpactOpen...
Open Babel has out-of-bounds read in PQS lowerit (pre-buffer read)
SummaryA memory-safety vulnerability in Open Babel's PQS parser caused anout-of-bounds pre-buffer read when reading a crafted input file. DetailsThe flaw was in the lowerit helper used by the PQS parser. Amalformed input caused the helper to read one or more bytes beforethe start of its input...
Open Babel has a NULL pointer dereference in CDXML OBAtom::GetExplicitValence
SummaryA memory-safety vulnerability in Open Babel's CDXML file format parsercaused a NULL pointer dereference when reading a crafted input file. DetailsThe flaw was in OBAtom::GetExplicitValence as called from the CDXMLparser. A malformed fragment caused the parser to invoke the methodon a NULL...
Open Babel has out-of-bounds write in CSR PadString (title field)
SummaryA memory-safety vulnerability in Open Babel's CSR parser allowed anout-of-bounds write when reading a crafted input file. DetailsThe flaw was in the PadString helper used to handle the CSR titlefield. A title longer than the fixed destination buffer caused theparser to write past the end o...
Open Babel has heap buffer overflow in ChemKin ChemKinFormat::CheckSpecies
SummaryA memory-safety vulnerability in Open Babel's ChemKin parser causeda heap buffer overflow when reading a crafted input file. DetailsThe flaw was in ChemKinFormat::CheckSpecies. A malformed speciesrecord caused the parser to write past the end of a heap-allocatedbuffer. ImpactOpen Babel is ...
Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule
SummaryA memory-safety vulnerability in Open Babel's GAMESS output parsercaused a use-after-free when reading a crafted input file. DetailsThe flaw was in GAMESSOutputFormat::ReadMolecule. A malformed inputcaused the parser to dereference a stale pointer after the underlyingobject had been freed...
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
SummaryStrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flaskprincipal.Permission.init with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly...
python-socketio: Binary attachment accumulation can cause denial of service
ImpactThe python-socketio server stores binary EVENT and ACK messages in memory while it waits to receive their binary attachments. Once all the attachments are received, these messages are then processed. An attacker can submit a binary message and intentionally omit sending one or more of its...
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Summary The PUT /api/1/roles/ handler in lemur/roles/views.py gates only on RoleMemberPermissionroleid.can, which is satisfied for any user who is already a member of the target role. The handler then passes data"users" and data"name" directly to service.update, permitting any role member to...
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization SummaryTesting revealed that joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength.The normal JWS compact and flattened JSON paths reject payloads above th...
python-engineio has unbound thread allocation that can cause denial of service
ImpactAn attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet.Note: this issue primarily affects synchronous servers...
Flawfinder output manipulation via untrusted filenames and source text
ImpactThis vulnerability is an improper input neutralization issue leading to output manipulation, specifically, Terminal/ANSI Escape Sequence Injection and XML Injection: Terminal Output Spoofing: A malicious file whose name contains ANSI escape sequences can end up being included in flawfinder'...
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
SummaryWhen an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs and runs on a network that routes the affected IPv6 transition forms NAT64- or ISATAP-configured networks, the cloud-metadata blocklist could be bypass...
Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF
Summary When verifying an uploaded certificate, lemur/certificates/verify.py extracts the CRL Distribution Point URL and the OCSP responder URL directly from the certificate's extensions and issues outbound requests to those URLs without scheme restriction or destination allow-listing. An...
Lemur user-update path stores plaintext passwords
Summarylemur.users.service.update writes a user's new password as plaintext to the users.password column. The User model wires bcrypt hashing to SQLAlchemy's beforeinsert event but registers no equivalent listener for beforeupdate, and service.update does not call user.hashpassword after assignin...
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
SummaryWhen an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs and runs on a network that routes the affected IPv6 transition forms NAT64- or ISATAP-configured networks, the cloud-metadata blocklist could be bypass...
Lemur: JWT verifier honors attacker-supplied alg, enabling ATO
Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure Vulnerability Summary Field | Value-- | --Title | Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap;...
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
ImpactThere are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases...
motionEye's missing authentication on ActionHandler allows unauthenticated camera action execution
SummaryThe ActionHandler.post method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts PTZ controls, alarm triggers, etc.. Vulnerability DetailsFile:...
OctoPrint has possible file exfiltration via query parameters on upload endpoints
ImpactOctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILEUPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be...
OctoPrint has XSS in its Suppressed Command Notifications
ImpactOctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.An attacker who successfully convinces a victim to prin...
Glances has arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration
SummaryThe securepopen function in glances/secure.py interprets file redirection, | pipe, and && command chaining operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command.When Application Monitoring Process AMP...
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
SummaryLangGraph's JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in tur...
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()
SummaryAmazon Braket SDK is an open-source Python library for interacting with the Amazon Braket quantum computing service, including managing hybrid quantum jobs and retrieving job results. An issue exists where, under certain circumstances, a remote authenticated user with S3 write access to a...
zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
Impactreadcharacterstring and readstring in src/zeroconf/protocol/incoming.py sliced self.dataself.offset : self.offset + length and advanced self.offset by the declared length without checking it against self.datalen. Python's slice silently returns fewer bytes when the end index runs past the...
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
SummarymEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...
LangGraph SDK has unsafe URL path construction
Summarylanggraph-sdk constructs HTTP request paths for resource operations by interpolating caller-supplied identifier values into URL templates. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to addres...
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution
Summaryglances/outdated.py uses pickle.load to read a version-check cache file stored at a predictable, world-accessible path /.cache/glances/glances-version.db or $XDGCACHEHOME/glances/glances-version.db. No integrity check, signature verification, or format validation is performed before...
ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)
ImpactAn Unprotected Alternate Channel CWE-420 vulnerability was discovered in ComfyUI-Manager versions prior to 3.38. Vulnerability DetailsIn affected versions, ComfyUI-Manager stored its configuration in the user/default/ComfyUI-Manager/ directory, which was accessible via ComfyUI's web APIs...
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
SummarymotionEye v0.43.1 latest stable is vulnerable to path traversal in the picture and movie API endpoints, like /picture/id/preview/filename. Neither the API handlers, nor the mediafiles.py functions like getmediapreview check for .. sequences in the filename parameter, except getmediacontent...
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens SummaryThe local OAuth helper FastAPI server bundled with dbt-mcp exposes the GET /dbtplatformcontext endpoint without any form of authentication or host-origin validation. After a user completes the OAuth login flow against dbt Clo...
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
SummaryThe Glances XML-RPC server glances -s, implemented in glances/server.py does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 patched in 4.5.2 added TrustedHostMiddleware to the REST/WebUI server; the MCP server has had equivalent protection...
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
SummaryPackInfo.read uses an On^2 cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.init — no extraction is needed. A 50 KB archive takes 7 seconds of CPU time...
motionEye's World-Readable Configuration File Exposes Admin Password Hash
Security Advisory: World-Readable Configuration File Exposes Admin Password Hash in motionEye SummarymotionEye v0.43.1 and prior versions create the configuration file /etc/motioneye/motion.conf with 644 permissions -rw-r--r--, making it readable by any local user on the system. This file contain...
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
SummaryThe Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: whenever corsorigins contains more than one entry. An operator who configure...
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
py7zr's Worker.decompress extracts archive entries without tracking total decompressed size. A crafted .7z file can exhaust disk or memory before the extraction completes.Measured: 15.6 KB archive → 100 MB output 6,556:1 ratio.Proof of concept:pythonimport py7zr, tempfile, os create bomb: compres...
Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
SummaryThe Glances KVM/QEMU monitoring engine glances/plugins/vms/engines/virsh.py passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by securepopen. securepopen is explicitly designed to interpret &&, |, and as shell operators...
jupyterlab-git extension: Stored XSS leading to RCE
OverviewAmazon Web Services AWS Security has identified a stored cross-site scripting XSS issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution RCE. The issue exists in thePlainTextDiff.ts component, where the createHeader method passes Git filenames directly to...
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
SummaryStanza 1.12.0 attempts to safely load PyTorch checkpoint files using torch.load..., weightsonly=True, but automatically falls back to the fully unsafe torch.load..., weightsonly=False when the safe load raises pickle.UnpicklingError. Because the UnpicklingError condition is fully...
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
SummaryThe AWS Bedrock AgentCore Python SDK bedrock-agentcore is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. An issue exists in the installpackages method of the Code Interpreter client where crafted package name arguments can bypass...