Largew

**Name of the Vulnerable Software and Affected Versions** ggerve coding-standards-mcp (affected versions not specified) **Description** A path traversal issue exists in the `get style guide`/`get best practices()` functions within the `server.py` file. Remote attackers can exploit this by manipulating the `Language` argument. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash (../) sequences. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `Language` argument in the `get style guide`/`get best practices()` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ghantakiran splunk-mcp-integration versions up to 0b86b09d5e5adf0433acd43c975951224613a1a6 **Description** A path traversal issue exists in the CSV Export component. A remote attacker can exploit this by manipulating the `job name` argument within the `create csv export()` function located in the 'services/csv-export-service/app/api/v1/endpoints/csv export.py' file. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the intended folder. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the `job name` argument in the `create csv export()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eyal-gor p 69 branch monkey mcp versions up to 69bc71874ce40050ef45fde5a435855f18af3373 **Description** An OS command injection flaw exists in the Preview Endpoint component within the file `branch monkey mcp/bridge and local actions/routes/advanced.py`. A remote attacker can exploit this by manipulating the `dev script` argument, allowing for the execution of arbitrary operating system commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `branch monkey mcp/bridge and local actions/routes/advanced.py` file or avoid using the `dev script` argument in the Preview Endpoint.

**Name of the Vulnerable Software and Affected Versions** geekgod382 filesystem-mcp-server version 1.0.0 **Description** A path traversal issue exists in the `is path allowed()` function within the `server.py` file of the `read file tool/write file tool` component. This flaw allows a remote attacker to manipulate paths, potentially leading to data leaks and Server-Side Request Forgery (SSRF), which is a technique where an attacker forces a server to make requests to an unintended location. **Recommendations** Update to version 1.1.0. As a temporary workaround, restrict access to the `is path allowed()` function to minimize the risk of exploitation.

A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the function list rules/fetch rule of the file src/gel mcp/server.py. The manipulation of the argument rule name results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

**Name of the Vulnerable Software and Affected Versions** getsimpletool mcpo-simple-server versions prior to 0.2.1 **Description** A relative path traversal issue exists in the `delete shared prompt()` function within the `src/mcpo simple server/services/prompt manager/base manager.py` file. This occurs due to improper manipulation of the `detail` argument, allowing a remote attacker to initiate an attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `delete shared prompt()` function.