Rémy Marot

Researcher fromTenable
#10671of 53,638
25.9Total CVSS
Vulnerabilities · 3
Medium
1
Critical
2
PT-2025-25442
10
2025-03-26
Unknown · Mcp Inspector · CVE-2025-49596
**Name of the Vulnerable Software and Affected Versions** MCP Inspector versions prior to 0.14.1 **Description** The MCP Inspector is a developer tool used for testing and debugging MCP servers. Versions prior to 0.14.1 are vulnerable to remote code execution (RCE) due to a lack of authentication between the Inspector client and proxy. This allows unauthenticated requests to launch MCP commands over stdio. The vulnerability is exploitable by chaining a known flaw affecting modern web browsers (0.0.0.0 Day) with a cross-site request forgery (CSRF) vulnerability. An attacker can execute arbitrary code on a developer's machine by tricking them into visiting a malicious website. The default configurations of the tool expose it to significant security risks, including missing authentication and encryption. The vulnerability has a CVSS score of 9.4 and is considered critical. **Recommendations** Upgrade to MCP Inspector version 0.14.1 or later.
PT-2024-38860
9.8
2024-08-27
Flowise · Flowise · CVE-2024-8181
Name of the Vulnerable Software and Affected Versions: Flowise version 1.8.2 Description: An Authentication Bypass issue exists, allowing a remote, unauthenticated attacker to access API endpoints as an administrator and access restricted functionality. Recommendations: For Flowise version 1.8.2, as a temporary workaround, consider restricting access to API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2023-20325
6.1
2023-05-08
Strikingly · Strikingly Cms · CVE-2023-2582
**Name of the Vulnerable Software and Affected Versions** Strikingly CMS (affected versions not specified) **Description** A prototype pollution issue exists in Strikingly CMS, potentially leading to reflected cross-site scripting (XSS) in affected applications and sites. This occurs because the Strikingly JavaScript library's parsing of the URL fragment allows access to the ` proto ` or constructor properties and the Object prototype. An attacker could exploit this by convincing a victim to visit a specially crafted link, leveraging an embedded gadget like jQuery to achieve arbitrary JavaScript execution in the context of the user's browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.