Littlew

**Name of the Vulnerable Software and Affected Versions** ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c (affected versions not specified) **Description** Manipulation of the `topic` argument in the `search papers()` function within the `research server.py` file allows for path traversal, which is a method used to access files and directories that are stored outside the intended folder. This issue enables remote exploitation. **Recommendations** As a temporary workaround, consider restricting the use of the `topic` argument in the `search papers()` function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** fatbobman mail-mcp-bridge versions prior to 1.3.4 **Description** A flaw in the file `src/mail mcp server.py` allows remote attackers to perform path traversal by manipulating the `message ids` argument. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder. **Recommendations** Update to version 1.3.4.

**Name of the Vulnerable Software and Affected Versions** florensiawidjaja BioinfoMCP versions up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 **Description** A path traversal issue exists in the Upload Endpoint component within the `Upload()` function of the `bioinfo mcp platform/app.py` file. A remote attacker can exploit this by manipulating the `Name` argument, allowing files to be written to or read from arbitrary locations on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** elie mcp-project version 0.1.0 **Description** A path traversal issue exists in the `search papers()` function within the `research server.py` file. This occurs when the `topic` argument is manipulated, allowing for unauthorized file system access. Local access is required to exploit this flaw. **Recommendations** As a temporary workaround, restrict the use of the `topic` argument in the `search papers()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get doc path of the file src/spire doc mcp/api/base.py. Performing a manipulation of the argument document name results in path traversal. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

**Name of the Vulnerable Software and Affected Versions** elinsky execution-system-mcp version 0.1.0 **Description** A path traversal flaw exists in the `add action` Tool within the ` get context file path()` function of the `src/execution system mcp/server.py` file. A remote attacker can initiate this attack by manipulating the `context` argument, allowing unauthorized access to files or directories outside the intended folder. **Recommendations** As a temporary workaround, restrict the use of the `context` argument in the `add action` Tool or disable the ` get context file path()` function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A flaw has been found in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get pdf path of the file src/spire pdf mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability has been found in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider mcp.py of the component code with ai. The manipulation of the argument working dir/editable files leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.