#rce

### Summary Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. ### Details The `@api.post("/dir-browser")` endpoint lacks proper path validation and authorization checks: - **No authorization requirement**: Any authenticated user can access the endpoint - **Improper path handling**: The code attempts to prepend "/" to non-existent paths but this doesn't prevent traversal: ```python req_dir = pathlib.Path("../../../../etc") # → PosixPath('../../../../etc') if not req_dir.exists(): # → False req_dir = "/" / req_dir # → PosixPath('/../../../../etc') ``` ### PoC 1. Create a non-admin user 2. Authenticate as a non-admin user 3. Send the following request: ``` POST /folder/dir-browser HTTP/1.1 Host: IP:1970 Content-Type: application/json Cookie: access_token_cookie=non-admin-a...

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said. "This activity involved

### Summary A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. ### Details The vulnerability exists in the `Renderer` component responsible for rendering Mermaid diagrams within chat artifacts. ```TypeScript case 'application/lobe.artifacts.mermaid': { return <Mermaid variant={'borderless'}>{content}</Mermaid>; } ``` The `content` variable, which is derived from user or AI-generated messages, is passed directly to the `<Mermaid>` component without any sanitization. The Mermaid library renders HTML labels (e.g., nodes defined with ["..."]) directly into the DOM. If the content contains malicious HTML tags (like <img onerror=...>), they are executed. In the Desktop version, the application...

Researchers found the popular model context protocol (MCP) servers, which are integral components of AI services, carry serious vulnerabilities.

A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could be exploited to read or delete arbitrary files and execute code under certain conditions. "These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README,

Cybersecurity researchers have disclosed details of a security flaw that leverages indirect prompt injection targeting Google Gemini as a way to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. The vulnerability, Miggo Security's Head of Research, Liad Eliyahu, said, made it possible to circumvent Google Calendar's privacy controls by hiding a dormant

In cybersecurity, the line between a normal update and a serious incident keeps getting thinner. Systems that once felt reliable are now under pressure from constant change. New AI tools, connected devices, and automated systems quietly create more ways in, often faster than security teams can react. This week’s stories show how easily a small mistake or hidden service can turn into a real

A team of academics from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. The security flaw, codenamed StackWarp, can allow bad actors with privileged control over a host server to run malicious code within confidential virtual machines (CVMs), undermining the integrity guarantees provided by AMD

### Summary The `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of `Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to **Arbitrary File Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink targets. ### Details The vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and `[SYMLINK]` methods. **1. Hardlink Escape (Arbitrary File Overwrite)** The extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to determine the hardlink target. Standard Node.js behavior dictates that if the second argument (`entry.linkpath`) is an **absolute path**, `path.resolve` ignores the first argument (`this.cwd`) entirely and returns the absolute path. The library fails to validate that this resolved target remains within the extraction root. A malicious archive can create a hardlink to a sensitive file on the h...

### Summary MCPJam inspector is the local-first development platform for MCP servers. The Latest version Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. This vulnerability is similar to CVE-2025-49596, but more severe. While CVE-2025-49596 requires tricking a user into clicking a malicious link, this vulnerability is exploitable with no user interaction. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. ### Details MCPJam inspector binds to `0.0.0.0` making its HTTP APIs remotely reachable. ``` TypeScript const server = serve({ fetch: app.fetch, port: SERVER_PORT, hostname: "0.0.0.0", }); ``` The `/api/mcp/connect` API, which is intended for connecting to MCP servers, becomes an open entry point for unauthorized requests. Whe...