7.5
CVE-2026-40560 - Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. Anβ¦
5.9
CVE-2026-33467 - Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Intβ¦
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closeβ¦
9.2
CVE-2026-41446 - WattBox 800 & 820 Series < 2.10.0.0 RCE via Diagnostic Endpoints
Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the deviceβ¦
6.9
CVE-2026-7319 - elinsky execution-system-mcp add_action Tool server.py _get_context_file_path path traversal
A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. The attack can be initiated remoβ¦
5.1
CVE-2026-7318 - elie mcp-project research_server.py search_papers path traversal
A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traversal. Attacking locally is a requirement. The exploit is now public and may be used. The project wasβ¦
2.3
CVE-2026-7317 - Grav CMS Cache Value FileCache.php doGet deserialization
A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be lβ¦
6.9
CVE-2026-7316 - eiliyaabedini aider-mcp code_with_ai aider_mcp.py command injection
A vulnerability has been found in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider_mcp.py of the component code_with_ai. The manipulation of the argument working_dir/editable_files leads to command injection. The attack may beβ¦
7.7
CVE-2026-41649 - Outline has IDOR in document share creation that allows unauthorized access to private documents acβ¦
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checβ¦
6.9
CVE-2026-7315 - eiceblue spire-pdf-mcp-server PDF File server.py get_pdf_path path traversal
A flaw has been found in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get_pdf_path of the file src/spire_pdf_mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. The attack can be launched remotely. The explβ¦
6.9
CVE-2026-7314 - eiceblue spire-doc-mcp-server base.py get_doc_path path traversal
A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal. The attack can be initiated remotely. The exploit is now public aβ¦