Cpt_Penner

**Name of the Vulnerable Software and Affected Versions** CoreWorxLab CAAL versions prior to 1.6.1 **Description** A server-side request forgery (SSRF) exists in the test-hass Endpoint component within the `src/caal/webhooks.py` file. This issue allows remote exploitation through the manipulation of an unknown function in that file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axle-Bucamp MCP-Docusaurus versions up to 404bc028e15ec304c9a045528560f4b5f27a17e0 **Description** A path traversal flaw exists that can be initiated remotely. The issue is located in the `app/routes/document.py` file within the `update document()`, `continue document()`, `delete document()`, and `get content()` functions. Manipulation of the `DOCS DIR/path` argument allows an attacker to access files and directories outside the intended folder. **Recommendations** As a temporary workaround, restrict access to the `update document()`, `continue document()`, `delete document()`, and `get content()` functions in the `app/routes/document.py` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UsamaK98 python-notebook-mcp versions up to a05a232815809a7e425b5fa7be26e0d4369894c2 **Description** A path traversal flaw exists in the `server.py` file. This issue allows a remote attacker to manipulate the `create notebook()`, `read notebook()`, `edit cell()`, and `add cell()` functions to access files and directories outside the intended folder. **Recommendations** As a temporary workaround, restrict access to the `create notebook()`, `read notebook()`, `edit cell()`, and `add cell()` functions in the `server.py` file until a fix is released.

**Name of the Vulnerable Software and Affected Versions** 54yyyu code-mcp versions up to 4cfc4643541a110c906d93635b391bf7e357f4a8 **Description** An issue in the MCP File Handler component allows remote attackers to perform path traversal, which is a technique used to access files and directories outside the intended folder. The flaw exists within the `is safe path()` function located in the `src/code mcp/server.py` file. **Recommendations** As a temporary workaround, consider restricting the use of the `is safe path()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 54yyyu code-mcp versions up to 4cfc4643541a110c906d93635b391bf7e357f4a8 **Description** Remote command injection is possible in the MCP Tool component. A remote attacker can initiate this attack by manipulating the `operation` argument within the `git operation()` function located in the `src/code mcp/server.py` file. **Recommendations** As a temporary workaround, restrict access to or disable the `git operation()` function until a fix is provided.

**Name of the Vulnerable Software and Affected Versions** RTGS2017 NagaAgent versions prior to 5.1.1 **Description** Improper processing of the file 'apiserver/routes/extensions.py' within the Skills Endpoint component allows for a remote path traversal attack. This occurs through the manipulation of the `Name` argument. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wireshark-mcp (affected versions not specified) **Description** A security flaw allows remote OS command injection via the `quick capture()` function within the `pyshark mcp.py` file. This issue enables an attacker to execute arbitrary commands remotely without requiring privileges or user interaction. **Recommendations** As a temporary workaround, consider restricting the use of the `quick capture()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FastlyMCP versions up to 6f3d0b0e654fc51076badc7fa16c03c461f95620 **Description** An OS command injection flaw exists in the `fastly cli` Tool within the `fastly-mcp.mjs` file. A remote attacker can exploit this by manipulating the `command` argument. OS command injection is a vulnerability that allows an attacker to execute arbitrary operating system commands on the server running the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** donchelo processing-claude-mcp-bridge versions up to e017b20a4b592a45531a6392f494007f04e661bd **Description** A path traversal issue exists in the `create sketch` Tool within the `processing server.py` file. This occurs due to improper manipulation of the `sketch name` argument, allowing for remote exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.