Bigw

**Name of the Vulnerable Software and Affected Versions** Divyanshu-hash GitPilot-MCP versions up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd **Description** Remote command injection is possible through the manipulation of the `command` argument. This issue impacts the `repo path()` function within the main.py file, allowing an attacker to execute arbitrary commands remotely. **Recommendations** As a temporary workaround, consider restricting the use of the `repo path()` function until a fix is available.

**Name of the Vulnerable Software and Affected Versions** devlikeapro WAHA versions prior to 2026.3.5 **Description** A flaw in the API Request Handler component, specifically within the `src/api/media.controller.ts` file, allows for remote server-side request forgery (SSRF). SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. **Recommendations** Update to a version newer than 2026.3.4. As a temporary workaround, restrict access to the `src/api/media.controller.ts` file or the associated API endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions Song-Li cross browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a Description A vulnerability exists in Song-Li cross browser, potentially allowing for SQL injection. The issue affects an unknown part of the `flask/uniquemachine app.py` file within the details Endpoint. Manipulation of the `ID` argument can trigger the vulnerability, and it can be exploited remotely. The exploit has been publicly disclosed. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions mixelpixx Google-Research-MCP (affected versions not specified) Description A security issue exists in the function `extractContent` of the file `src/services/content-extractor.service.ts` within the Model Context Protocol Handler component. Manipulation of the `URL` argument can lead to server-side request forgery. This attack can be initiated remotely and has been publicly disclosed. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions AlejandroArciniegas mcp-data-vis (affected versions not specified) Description A SQL injection issue exists in the `Request` function within the `src/servers/database/server.js` file of the MCP Handler component. This manipulation can be initiated remotely. The exploit has been publicly disclosed. The product uses a rolling release model, so specific version information is unavailable. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions huimeicloud hm editor versions up to 2.2.3 Description A flaw exists in the `client.get` function within the image-to-base64 component, specifically in the file `src/mcp-server.js`. Manipulation of the `url` argument can result in server-side request forgery (SSRF). This issue is remotely exploitable. The details of the flaw have been publicly disclosed, and the vendor was notified but did not respond. Recommendations Update huimeicloud hm editor to a version later than 2.2.3.

Name of the Vulnerable Software and Affected Versions priyankark a11y-mcp versions up to 1.0.5 Description A flaw exists in the A11yServer function within the src/index.js file of priyankark a11y-mcp. This issue allows for server-side request forgery when initiated locally. The exploit is publicly available. The product follows a rolling release model, so specific version details for fixes are not available. Recommendations Upgrade to version 1.0.6 to resolve the issue.