Security
Headlines

Headlines Latest CVEs

Headline

GHSA-75mj-4g74-9rg2: Universal Tool Calling Protocol (UTCP) client library for Python vulnerable to Trust Boundary Violation through Manual JSON specification

The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client.

1 month ago

#vulnerability #js #git #intel

Skip to content

Navigation Menu

- AI CODE CREATION
  - GitHub CopilotWrite better code with AI
  - GitHub SparkBuild and deploy intelligent apps
  - GitHub ModelsManage and compare prompts
  - MCP RegistryNewIntegrate external tools

View all features

Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

GitHub Advisory Database
GitHub Reviewed
CVE-2025-14542

Universal Tool Calling Protocol (UTCP) client library for Python vulnerable to Trust Boundary Violation through Manual JSON specification

High severity GitHub Reviewed Published Dec 13, 2025 to the GitHub Advisory Database • Updated Dec 15, 2025

Affected versions

< 1.1.0

Description

Published to the GitHub Advisory Database

Dec 13, 2025

Last updated

Dec 15, 2025

ghsa: Latest News

GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions

9 days ago

GHSA-wm8h-26fv-mg7g: phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

9 days ago

GHSA-7p9h-m7m8-vhhv: phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

9 days ago

GHSA-w7rq-fgx4-4xcm: LavaLite CMS affected by a stored cross-site scripting vulnerability

9 days ago

GHSA-mxc8-4jqf-368q: miniserve affected by a TOCTOU and symlink race vulnerability

9 days ago