{
  "publisher": "elsas.it",
  "title": "MCP & Agent-Ecosystem Security Status",
  "generated_at": "2026-07-12T20:18:02+00:00",
  "disclaimer": "A package listed here has at least one advisory in the elsas feed sourced to a primary advisory (GitHub Advisory Database, CVE/NVD, OSV, or CISA-KEV). Absence from this list is NOT a security audit and does not mean a package is safe — it means we have no advisory for it on record.",
  "coverage": {
    "tracked_items": 18569,
    "advisories_total": 120,
    "packages_listed": 35,
    "window": {
      "first_day": "2026-05-26",
      "latest_day": "2026-07-11",
      "days": 42
    }
  },
  "verify": {
    "signature": "SSHSIG Ed25519",
    "allowed_signers": "https://elsas.it/.well-known/allowed_signers",
    "recipe": "https://elsas.it/.well-known/signature-verify.md",
    "note": "Each advisory carries the report_id of the signed report it was published in; fetch that report and verify its signature to confirm."
  },
  "access": {
    "mcp_endpoint": "https://elsas.it/mcp",
    "free_sample": "https://elsas.it/sample",
    "check_your_deps": "tools/call check_affected (pay-per-value; free when clear)"
  },
  "packages": [
    {
      "package": "Langflow",
      "ecosystem": "",
      "worst_severity": "HIGH",
      "kev": true,
      "advisory_count": 1,
      "last_seen": "2026-07-07",
      "advisories": [
        {
          "id": "CVE-2026-55255",
          "cve_id": "CVE-2026-55255",
          "ghsa_id": null,
          "title": "CVE-2026-55255: Langflow Authorization Bypass Through User-Controlled Key Vulnerability",
          "severity": "HIGH",
          "kev": true,
          "cvss": null,
          "vulnerable_range": "Langflow Langflow (all versions — see advisory)",
          "fixed": null,
          "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2026-55255",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07"
        }
      ],
      "slug": "langflow"
    },
    {
      "package": "Splunk Enterprise",
      "ecosystem": "",
      "worst_severity": "HIGH",
      "kev": true,
      "advisory_count": 1,
      "last_seen": "2026-06-18",
      "advisories": [
        {
          "id": "CVE-2026-20253",
          "cve_id": "CVE-2026-20253",
          "ghsa_id": null,
          "title": "CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function Vulnerability",
          "severity": "HIGH",
          "kev": true,
          "cvss": null,
          "vulnerable_range": "Splunk Enterprise (all versions — see advisory)",
          "fixed": null,
          "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2026-20253",
          "report_id": "5843eb50-631c-414f-bad0-a29afe35e448",
          "date": "2026-06-18"
        }
      ],
      "slug": "splunk-enterprise"
    },
    {
      "package": "BerriAI LiteLLM",
      "ecosystem": "",
      "worst_severity": "HIGH",
      "kev": true,
      "advisory_count": 1,
      "last_seen": "2026-06-08",
      "advisories": [
        {
          "id": "CVE-2026-42271",
          "cve_id": "CVE-2026-42271",
          "ghsa_id": null,
          "title": "7bc450ebaf21",
          "severity": "HIGH",
          "kev": true,
          "cvss": null,
          "vulnerable_range": "BerriAI LiteLLM (all versions — see advisory)",
          "fixed": null,
          "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2026-42271",
          "report_id": "c65ee394-98bc-47a1-84b2-b1dc1a672f1e",
          "date": "2026-06-08"
        }
      ],
      "slug": "berriai-litellm"
    },
    {
      "package": "Linux Kernel",
      "ecosystem": "",
      "worst_severity": "HIGH",
      "kev": true,
      "advisory_count": 1,
      "last_seen": "2026-06-02",
      "advisories": [
        {
          "id": "CVE-2022-0492",
          "cve_id": "CVE-2022-0492",
          "ghsa_id": null,
          "title": "c40274832954",
          "severity": "HIGH",
          "kev": true,
          "cvss": null,
          "vulnerable_range": "Linux Kernel (all versions — see advisory)",
          "fixed": null,
          "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2022-0492",
          "report_id": "c65ee394-98bc-47a1-84b2-b1dc1a672f1e",
          "date": "2026-06-02"
        }
      ],
      "slug": "linux-kernel"
    },
    {
      "package": "better-auth",
      "ecosystem": "npm",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 4,
      "last_seen": "2026-07-07",
      "advisories": [
        {
          "id": "GHSA-86j7-9j95-vpqj",
          "cve_id": "GHSA-86j7-9j95-vpqj",
          "ghsa_id": "GHSA-86j7-9j95-vpqj",
          "title": "Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.7",
          "vulnerable_range": "< 1.6.13",
          "fixed": "1.6.13",
          "source_url": "https://github.com/advisories/GHSA-86j7-9j95-vpqj",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07T22:17:00.137055+00:00"
        },
        {
          "id": "CVE-2026-53518",
          "cve_id": "CVE-2026-53518",
          "ghsa_id": "GHSA-7w99-5wm4-3g79",
          "title": "@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.1",
          "vulnerable_range": "< 1.6.11",
          "fixed": "1.6.11",
          "source_url": "https://github.com/advisories/GHSA-7w99-5wm4-3g79",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07T22:17:00.137055+00:00"
        },
        {
          "id": "GHSA-9h47-pqcx-hjr4",
          "cve_id": "GHSA-9h47-pqcx-hjr4",
          "ghsa_id": "GHSA-9h47-pqcx-hjr4",
          "title": "Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.7",
          "vulnerable_range": "< 1.6.11",
          "fixed": "1.6.11",
          "source_url": "https://github.com/advisories/GHSA-9h47-pqcx-hjr4",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07T22:17:00.137055+00:00"
        },
        {
          "id": "CVE-2026-53512",
          "cve_id": "CVE-2026-53512",
          "ghsa_id": "GHSA-pw9m-5jxm-xr6h",
          "title": "Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "9.1",
          "vulnerable_range": "< 1.6.11",
          "fixed": "1.6.11",
          "source_url": "https://github.com/advisories/GHSA-pw9m-5jxm-xr6h",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07T20:17:04.529527+00:00"
        }
      ],
      "slug": "better-auth"
    },
    {
      "package": "langchain",
      "ecosystem": "pip",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 2,
      "last_seen": "2026-07-06",
      "advisories": [
        {
          "id": "CVE-2023-36188",
          "cve_id": "CVE-2023-36188",
          "ghsa_id": "GHSA-57fc-8q82-gfp3",
          "title": "langchain vulnerable to arbitrary code execution",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "9.8",
          "vulnerable_range": "< 0.0.247",
          "fixed": "0.0.247",
          "source_url": "https://github.com/advisories/GHSA-57fc-8q82-gfp3",
          "report_id": "c4bf9cb4-8fdc-4b23-bffc-77aabd074849",
          "date": "2026-07-06T16:17:01.483306+00:00"
        },
        {
          "id": "GHSA-gr75-jv2w-4656",
          "cve_id": "GHSA-gr75-jv2w-4656",
          "ghsa_id": "GHSA-gr75-jv2w-4656",
          "title": "LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "5.1",
          "vulnerable_range": "<= 1.3.8",
          "fixed": "1.3.9",
          "source_url": "https://github.com/advisories/GHSA-gr75-jv2w-4656",
          "report_id": "341bcceb-6be9-4ae4-9075-8c7aff9046e1",
          "date": "2026-06-19T10:22:37.292014+00:00"
        }
      ],
      "slug": "langchain"
    },
    {
      "package": "langroid",
      "ecosystem": "pip",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 2,
      "last_seen": "2026-07-06",
      "advisories": [
        {
          "id": "CVE-2026-54769",
          "cve_id": "CVE-2026-54769",
          "ghsa_id": "GHSA-q9p7-wqxg-mrhc",
          "title": "Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "10.0",
          "vulnerable_range": "<= 0.65.1",
          "fixed": "0.65.2",
          "source_url": "https://github.com/advisories/GHSA-q9p7-wqxg-mrhc",
          "report_id": "c4bf9cb4-8fdc-4b23-bffc-77aabd074849",
          "date": "2026-07-06T22:16:59.224527+00:00"
        },
        {
          "id": "CVE-2026-55615",
          "cve_id": "CVE-2026-55615",
          "ghsa_id": "GHSA-2pq5-3q89-j7cc",
          "title": "Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "<= 0.65.4",
          "fixed": "0.65.5",
          "source_url": "https://github.com/advisories/GHSA-2pq5-3q89-j7cc",
          "report_id": "c4bf9cb4-8fdc-4b23-bffc-77aabd074849",
          "date": "2026-07-06T22:16:59.224527+00:00"
        }
      ],
      "slug": "langroid"
    },
    {
      "package": "mcp-memory-service",
      "ecosystem": "pip",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 2,
      "last_seen": "2026-07-02",
      "advisories": [
        {
          "id": "CVE-2026-50027",
          "cve_id": "CVE-2026-50027",
          "ghsa_id": "GHSA-84hp-mqvj-3p8h",
          "title": "mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "9.8",
          "vulnerable_range": "< 10.67.1",
          "fixed": "10.67.1",
          "source_url": "https://github.com/advisories/GHSA-84hp-mqvj-3p8h",
          "report_id": "b1229b92-7010-4384-bcce-7bc939a6d708",
          "date": "2026-07-02T16:16:49.434099+00:00"
        },
        {
          "id": "CVE-2026-49291",
          "cve_id": "CVE-2026-49291",
          "ghsa_id": "GHSA-2r68-g678-7qr3",
          "title": "mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.1",
          "vulnerable_range": "<= 10.65.1",
          "fixed": "10.65.3",
          "source_url": "https://github.com/advisories/GHSA-2r68-g678-7qr3",
          "report_id": "100af940-6e58-4afb-a275-fe6de07d7426",
          "date": "2026-06-26T22:17:38.513851+00:00"
        }
      ],
      "slug": "mcp-memory-service"
    },
    {
      "package": "fast-mcp-telegram",
      "ecosystem": "pip",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-02",
      "advisories": [
        {
          "id": "CVE-2026-52830",
          "cve_id": "CVE-2026-52830",
          "ghsa_id": "GHSA-rxw2-pc8j-vxwm",
          "title": "fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "9.4",
          "vulnerable_range": "<= 0.19.0",
          "fixed": "0.19.1",
          "source_url": "https://github.com/advisories/GHSA-rxw2-pc8j-vxwm",
          "report_id": "b1229b92-7010-4384-bcce-7bc939a6d708",
          "date": "2026-07-02T22:16:46.851337+00:00"
        }
      ],
      "slug": "fast-mcp-telegram"
    },
    {
      "package": "mcp-pinot-server",
      "ecosystem": "pip",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-26",
      "advisories": [
        {
          "id": "CVE-2026-49257",
          "cve_id": "CVE-2026-49257",
          "ghsa_id": "GHSA-73cv-556c-w3g6",
          "title": "mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "10.0",
          "vulnerable_range": "<= 3.0.1",
          "fixed": "3.1.0",
          "source_url": "https://github.com/advisories/GHSA-73cv-556c-w3g6",
          "report_id": "100af940-6e58-4afb-a275-fe6de07d7426",
          "date": "2026-06-26T22:17:38.513851+00:00"
        }
      ],
      "slug": "mcp-pinot-server"
    },
    {
      "package": "netlicensing-mcp",
      "ecosystem": "pip",
      "worst_severity": "CRITICAL",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-19",
      "advisories": [
        {
          "id": "GHSA-hxpf-9xvq-wph8",
          "cve_id": "GHSA-hxpf-9xvq-wph8",
          "ghsa_id": "GHSA-hxpf-9xvq-wph8",
          "title": "netlicensing-mcp: REST Path Traversal Bypasses Token Redaction",
          "severity": "CRITICAL",
          "kev": false,
          "cvss": "9.6",
          "vulnerable_range": "< 0.1.8",
          "fixed": "0.1.8",
          "source_url": "https://github.com/advisories/GHSA-hxpf-9xvq-wph8",
          "report_id": "341bcceb-6be9-4ae4-9075-8c7aff9046e1",
          "date": "2026-06-19T10:22:37.292014+00:00"
        }
      ],
      "slug": "netlicensing-mcp"
    },
    {
      "package": "mcp-atlassian",
      "ecosystem": "pip",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 2,
      "last_seen": "2026-07-10",
      "advisories": [
        {
          "id": "GHSA-g5r6-gv6m-f5jv",
          "cve_id": "GHSA-g5r6-gv6m-f5jv",
          "ghsa_id": "GHSA-g5r6-gv6m-f5jv",
          "title": "mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.7",
          "vulnerable_range": "< 0.22.0",
          "fixed": "0.22.0",
          "source_url": "https://github.com/advisories/GHSA-g5r6-gv6m-f5jv",
          "report_id": "46a6cec4-b353-422d-9b14-5cd4360ee3e8",
          "date": "2026-07-10T20:16:01.436749+00:00"
        },
        {
          "id": "GHSA-wm45-qh3g-v83f",
          "cve_id": "GHSA-wm45-qh3g-v83f",
          "ghsa_id": "GHSA-wm45-qh3g-v83f",
          "title": "mcp-atlassian: Arbitrary server-side file read via attachment upload",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.7",
          "vulnerable_range": "< 0.22.0",
          "fixed": "0.22.0",
          "source_url": "https://github.com/advisories/GHSA-wm45-qh3g-v83f",
          "report_id": "46a6cec4-b353-422d-9b14-5cd4360ee3e8",
          "date": "2026-07-10T20:16:01.436749+00:00"
        }
      ],
      "slug": "mcp-atlassian"
    },
    {
      "package": "serena-agent",
      "ecosystem": "pip",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-09",
      "advisories": [
        {
          "id": "CVE-2026-49471",
          "cve_id": "CVE-2026-49471",
          "ghsa_id": "GHSA-37h2-6p4f-mp3q",
          "title": "Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.3",
          "vulnerable_range": "< 1.5.2",
          "fixed": "1.5.2",
          "source_url": "https://github.com/advisories/GHSA-37h2-6p4f-mp3q",
          "report_id": "969f24a0-da39-4aa1-9be1-232aad2a5c1d",
          "date": "2026-07-09T19:20:08.426555+00:00"
        }
      ],
      "slug": "serena-agent"
    },
    {
      "package": "phantom-audio",
      "ecosystem": "pip",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-09",
      "advisories": [
        {
          "id": "GHSA-52vm-mxx8-f227",
          "cve_id": "GHSA-52vm-mxx8-f227",
          "ghsa_id": "GHSA-52vm-mxx8-f227",
          "title": "Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.7",
          "vulnerable_range": "<= 1.3.0",
          "fixed": "1.3.1",
          "source_url": "https://github.com/advisories/GHSA-52vm-mxx8-f227",
          "report_id": "969f24a0-da39-4aa1-9be1-232aad2a5c1d",
          "date": "2026-07-09T19:20:08.426555+00:00"
        }
      ],
      "slug": "phantom-audio"
    },
    {
      "package": "@better-auth/oauth-provider",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-07",
      "advisories": [
        {
          "id": "CVE-2026-53518",
          "cve_id": "CVE-2026-53518",
          "ghsa_id": "GHSA-7w99-5wm4-3g79",
          "title": "@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.1",
          "vulnerable_range": ">= 1.6.0, < 1.6.11",
          "fixed": "1.6.11",
          "source_url": "https://github.com/advisories/GHSA-7w99-5wm4-3g79",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07T22:17:00.137055+00:00"
        }
      ],
      "slug": "better-auth-oauth-provider"
    },
    {
      "package": "flyto-core",
      "ecosystem": "pip",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-06",
      "advisories": [
        {
          "id": "CVE-2026-55786",
          "cve_id": "CVE-2026-55786",
          "ghsa_id": "GHSA-h9f9-h6gm-wc85",
          "title": "flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.4",
          "vulnerable_range": ">= 2.26.2, < 2.26.4",
          "fixed": "2.26.4",
          "source_url": "https://github.com/advisories/GHSA-h9f9-h6gm-wc85",
          "report_id": "c4bf9cb4-8fdc-4b23-bffc-77aabd074849",
          "date": "2026-07-06T18:15:59.499223+00:00"
        }
      ],
      "slug": "flyto-core"
    },
    {
      "package": "openclaw",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 4,
      "last_seen": "2026-07-02",
      "advisories": [
        {
          "id": "CVE-2026-53818",
          "cve_id": "CVE-2026-53818",
          "ghsa_id": "GHSA-rj6p-xmxr-qj4h",
          "title": "OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "6.6",
          "vulnerable_range": "< 2026.4.24",
          "fixed": "2026.4.24",
          "source_url": "https://github.com/advisories/GHSA-rj6p-xmxr-qj4h",
          "report_id": "b1229b92-7010-4384-bcce-7bc939a6d708",
          "date": "2026-07-02T18:16:47.077392+00:00"
        },
        {
          "id": "CVE-2026-53814",
          "cve_id": "CVE-2026-53814",
          "ghsa_id": "GHSA-6fvr-66p3-3qj4",
          "title": "OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.4",
          "vulnerable_range": "< 2026.5.20",
          "fixed": "2026.5.20",
          "source_url": "https://github.com/advisories/GHSA-6fvr-66p3-3qj4",
          "report_id": "b1229b92-7010-4384-bcce-7bc939a6d708",
          "date": "2026-07-02T16:16:49.434099+00:00"
        },
        {
          "id": "GHSA-qh2f-99mv-mrcf",
          "cve_id": "GHSA-qh2f-99mv-mrcf",
          "ghsa_id": "GHSA-qh2f-99mv-mrcf",
          "title": "OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "< 2026.5.12",
          "fixed": "2026.5.12",
          "source_url": "https://github.com/advisories/GHSA-qh2f-99mv-mrcf",
          "report_id": "b1229b92-7010-4384-bcce-7bc939a6d708",
          "date": "2026-07-02T16:16:49.434099+00:00"
        },
        {
          "id": "GHSA-9c3v-684m-579c",
          "cve_id": "GHSA-9c3v-684m-579c",
          "ghsa_id": "GHSA-9c3v-684m-579c",
          "title": "OpenClaw MCP SSE redirects could forward Authorization headers",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "6.5",
          "vulnerable_range": "< 2026.6.5",
          "fixed": "2026.6.5",
          "source_url": "https://github.com/advisories/GHSA-9c3v-684m-579c",
          "report_id": "9d0e85f1-2506-4562-ab81-a02b707f67df",
          "date": "2026-07-01T22:16:47.512049+00:00"
        }
      ],
      "slug": "openclaw"
    },
    {
      "package": "auth-fetch-mcp",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-01",
      "advisories": [
        {
          "id": "CVE-2026-49857",
          "cve_id": "CVE-2026-49857",
          "ghsa_id": "GHSA-pvrj-8cg3-j5f8",
          "title": "auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.4",
          "vulnerable_range": "<= 3.0.1",
          "fixed": "3.0.2",
          "source_url": "https://github.com/advisories/GHSA-pvrj-8cg3-j5f8",
          "report_id": "ceb50629-8612-4b71-84a0-04059c034936",
          "date": "2026-07-01T18:16:48.274872+00:00"
        }
      ],
      "slug": "auth-fetch-mcp"
    },
    {
      "package": "surrealdb",
      "ecosystem": "rust",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-01",
      "advisories": [
        {
          "id": "GHSA-5qfp-32cf-69jh",
          "cve_id": "GHSA-5qfp-32cf-69jh",
          "ghsa_id": "GHSA-5qfp-32cf-69jh",
          "title": "SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.8",
          "vulnerable_range": "< 3.1.0",
          "fixed": "3.1.0",
          "source_url": "https://github.com/advisories/GHSA-5qfp-32cf-69jh",
          "report_id": "9d0e85f1-2506-4562-ab81-a02b707f67df",
          "date": "2026-07-01T20:16:48.228487+00:00"
        }
      ],
      "slug": "surrealdb"
    },
    {
      "package": "neuro-cortex-memory",
      "ecosystem": "pip",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-01",
      "advisories": [
        {
          "id": "CVE-2026-49986",
          "cve_id": "CVE-2026-49986",
          "ghsa_id": "GHSA-gvpp-v77h-5w8g",
          "title": "Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "<= 3.17.0",
          "fixed": "3.18.0",
          "source_url": "https://github.com/advisories/GHSA-gvpp-v77h-5w8g",
          "report_id": "9d0e85f1-2506-4562-ab81-a02b707f67df",
          "date": "2026-07-01T20:16:48.228487+00:00"
        }
      ],
      "slug": "neuro-cortex-memory"
    },
    {
      "package": "@apify/actors-mcp-server",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-01",
      "advisories": [
        {
          "id": "CVE-2026-50143",
          "cve_id": "CVE-2026-50143",
          "ghsa_id": "GHSA-6gr2-qh89-hxwm",
          "title": "Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.1",
          "vulnerable_range": "< 0.10.11",
          "fixed": "0.10.11",
          "source_url": "https://github.com/advisories/GHSA-6gr2-qh89-hxwm",
          "report_id": "9d0e85f1-2506-4562-ab81-a02b707f67df",
          "date": "2026-07-01T22:16:47.512049+00:00"
        }
      ],
      "slug": "apify-actors-mcp-server"
    },
    {
      "package": "line-desktop-mcp",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-26",
      "advisories": [
        {
          "id": "CVE-2026-49357",
          "cve_id": "CVE-2026-49357",
          "ghsa_id": "GHSA-4hf8-5mjm-rfgq",
          "title": "Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "<= 1.1.1",
          "fixed": "1.1.2",
          "source_url": "https://github.com/advisories/GHSA-4hf8-5mjm-rfgq",
          "report_id": "100af940-6e58-4afb-a275-fe6de07d7426",
          "date": "2026-06-26T22:17:38.513851+00:00"
        }
      ],
      "slug": "line-desktop-mcp"
    },
    {
      "package": "appium-mcp",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-20",
      "advisories": [
        {
          "id": "GHSA-x975-rgx4-5fh4",
          "cve_id": "GHSA-x975-rgx4-5fh4",
          "ghsa_id": "GHSA-x975-rgx4-5fh4",
          "title": "appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)",
          "severity": "HIGH",
          "kev": false,
          "cvss": "8.2",
          "vulnerable_range": "<= 1.85.9",
          "fixed": "1.85.10",
          "source_url": "https://github.com/advisories/GHSA-x975-rgx4-5fh4",
          "report_id": "fd8d5ffe-b598-44e2-8f5e-3f873b9f88c2",
          "date": "2026-06-20T05:31:47.697611+00:00"
        }
      ],
      "slug": "appium-mcp"
    },
    {
      "package": "mcp-searxng",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 2,
      "last_seen": "2026-06-20",
      "advisories": [
        {
          "id": "GHSA-mrvx-jmjw-vggc",
          "cve_id": "GHSA-mrvx-jmjw-vggc",
          "ghsa_id": "GHSA-mrvx-jmjw-vggc",
          "title": "SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.1",
          "vulnerable_range": "< 1.7.1",
          "fixed": "1.7.1",
          "source_url": "https://github.com/advisories/GHSA-mrvx-jmjw-vggc",
          "report_id": "fd8d5ffe-b598-44e2-8f5e-3f873b9f88c2",
          "date": "2026-06-20T05:31:47.697611+00:00"
        },
        {
          "id": "GHSA-xcqx-9jf5-w339",
          "cve_id": "GHSA-xcqx-9jf5-w339",
          "ghsa_id": "GHSA-xcqx-9jf5-w339",
          "title": "SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`",
          "severity": "HIGH",
          "kev": false,
          "cvss": "7.5",
          "vulnerable_range": "< 1.7.1",
          "fixed": "1.7.1",
          "source_url": "https://github.com/advisories/GHSA-xcqx-9jf5-w339",
          "report_id": "fd8d5ffe-b598-44e2-8f5e-3f873b9f88c2",
          "date": "2026-06-20T05:31:47.697611+00:00"
        }
      ],
      "slug": "mcp-searxng"
    },
    {
      "package": "@zenalexa/unicli",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-20",
      "advisories": [
        {
          "id": "GHSA-v3f4-w7r7-v3hm",
          "cve_id": "GHSA-v3f4-w7r7-v3hm",
          "ghsa_id": "GHSA-v3f4-w7r7-v3hm",
          "title": "Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "< 0.225.2",
          "fixed": "0.225.2",
          "source_url": "https://github.com/advisories/GHSA-v3f4-w7r7-v3hm",
          "report_id": "fd8d5ffe-b598-44e2-8f5e-3f873b9f88c2",
          "date": "2026-06-20T05:31:47.697611+00:00"
        }
      ],
      "slug": "zenalexa-unicli"
    },
    {
      "package": "@agenticmail/openclaw",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-19",
      "advisories": [
        {
          "id": "GHSA-fq4x-789w-jg5h",
          "cve_id": "GHSA-fq4x-789w-jg5h",
          "ghsa_id": "GHSA-fq4x-789w-jg5h",
          "title": "AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "< 0.5.71",
          "fixed": "0.5.71",
          "source_url": "https://github.com/advisories/GHSA-fq4x-789w-jg5h",
          "report_id": "5843eb50-631c-414f-bad0-a29afe35e448",
          "date": "2026-06-19T10:22:37.292014+00:00"
        }
      ],
      "slug": "agenticmail-openclaw"
    },
    {
      "package": "@agenticmail/codex",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-19",
      "advisories": [
        {
          "id": "GHSA-fq4x-789w-jg5h",
          "cve_id": "GHSA-fq4x-789w-jg5h",
          "ghsa_id": "GHSA-fq4x-789w-jg5h",
          "title": "AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "< 0.1.33",
          "fixed": "0.1.33",
          "source_url": "https://github.com/advisories/GHSA-fq4x-789w-jg5h",
          "report_id": "5843eb50-631c-414f-bad0-a29afe35e448",
          "date": "2026-06-19T10:22:37.292014+00:00"
        }
      ],
      "slug": "agenticmail-codex"
    },
    {
      "package": "@agenticmail/claudecode",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-19",
      "advisories": [
        {
          "id": "GHSA-fq4x-789w-jg5h",
          "cve_id": "GHSA-fq4x-789w-jg5h",
          "ghsa_id": "GHSA-fq4x-789w-jg5h",
          "title": "AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "< 0.2.39",
          "fixed": "0.2.39",
          "source_url": "https://github.com/advisories/GHSA-fq4x-789w-jg5h",
          "report_id": "5843eb50-631c-414f-bad0-a29afe35e448",
          "date": "2026-06-19T10:22:37.292014+00:00"
        }
      ],
      "slug": "agenticmail-claudecode"
    },
    {
      "package": "@agenticmail/core",
      "ecosystem": "npm",
      "worst_severity": "HIGH",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-19",
      "advisories": [
        {
          "id": "GHSA-fq4x-789w-jg5h",
          "cve_id": "GHSA-fq4x-789w-jg5h",
          "ghsa_id": "GHSA-fq4x-789w-jg5h",
          "title": "AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)",
          "severity": "HIGH",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "< 0.9.43",
          "fixed": "0.9.43",
          "source_url": "https://github.com/advisories/GHSA-fq4x-789w-jg5h",
          "report_id": "5843eb50-631c-414f-bad0-a29afe35e448",
          "date": "2026-06-19T10:22:37.292014+00:00"
        }
      ],
      "slug": "agenticmail-core"
    },
    {
      "package": "ha-mcp",
      "ecosystem": "pip",
      "worst_severity": "MODERATE",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-08",
      "advisories": [
        {
          "id": "GHSA-q855-8rh5-jfgq",
          "cve_id": "GHSA-q855-8rh5-jfgq",
          "ghsa_id": "GHSA-q855-8rh5-jfgq",
          "title": "ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "6.5",
          "vulnerable_range": "< 7.10.0",
          "fixed": "7.10.0",
          "source_url": "https://github.com/advisories/GHSA-q855-8rh5-jfgq",
          "report_id": "969f24a0-da39-4aa1-9be1-232aad2a5c1d",
          "date": "2026-07-08T00:15:59.212725+00:00"
        }
      ],
      "slug": "ha-mcp"
    },
    {
      "package": "@aborruso/ckan-mcp-server",
      "ecosystem": "npm",
      "worst_severity": "MODERATE",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-07",
      "advisories": [
        {
          "id": "CVE-2026-53509",
          "cve_id": "CVE-2026-53509",
          "ghsa_id": "GHSA-g84h-j7jj-x32p",
          "title": "@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "5.7",
          "vulnerable_range": "< 0.4.106",
          "fixed": "0.4.106",
          "source_url": "https://github.com/advisories/GHSA-g84h-j7jj-x32p",
          "report_id": "ee3546d9-ce4d-4d85-b676-137c73973990",
          "date": "2026-07-07T20:17:04.529527+00:00"
        }
      ],
      "slug": "aborruso-ckan-mcp-server"
    },
    {
      "package": "@jshookmcp/jshook",
      "ecosystem": "npm",
      "worst_severity": "MODERATE",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-01",
      "advisories": [
        {
          "id": "CVE-2026-49856",
          "cve_id": "CVE-2026-49856",
          "ghsa_id": "GHSA-c5r6-m4mr-8q5j",
          "title": "@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "4.3",
          "vulnerable_range": "= 0.3.1",
          "fixed": "0.3.2",
          "source_url": "https://github.com/advisories/GHSA-c5r6-m4mr-8q5j",
          "report_id": "ceb50629-8612-4b71-84a0-04059c034936",
          "date": "2026-07-01T18:16:48.274872+00:00"
        }
      ],
      "slug": "jshookmcp-jshook"
    },
    {
      "package": "repomix",
      "ecosystem": "npm",
      "worst_severity": "MODERATE",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-07-01",
      "advisories": [
        {
          "id": "CVE-2026-49988",
          "cve_id": "CVE-2026-49988",
          "ghsa_id": "GHSA-hwpp-h97w-2h3j",
          "title": "repomix: attach_packed_output can bypass file-read secret scanning for supported local files",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "0.0",
          "vulnerable_range": "<= 1.14.0",
          "fixed": "1.14.1",
          "source_url": "https://github.com/advisories/GHSA-hwpp-h97w-2h3j",
          "report_id": "9d0e85f1-2506-4562-ab81-a02b707f67df",
          "date": "2026-07-01T20:16:48.228487+00:00"
        }
      ],
      "slug": "repomix"
    },
    {
      "package": "github.com/github/github-mcp-server",
      "ecosystem": "go",
      "worst_severity": "MODERATE",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-25",
      "advisories": [
        {
          "id": "CVE-2026-48529",
          "cve_id": "CVE-2026-48529",
          "ghsa_id": "GHSA-pjp5-fpmr-3349",
          "title": "GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "6.0",
          "vulnerable_range": ">= 0.22.0, < 1.1.2",
          "fixed": "1.1.2",
          "source_url": "https://github.com/advisories/GHSA-pjp5-fpmr-3349",
          "report_id": "b1b002a6-6fd3-4faa-bfe0-3eeac404965d",
          "date": "2026-06-25T22:17:38.196535+00:00"
        }
      ],
      "slug": "github-com-github-github-mcp-server"
    },
    {
      "package": "network-ai",
      "ecosystem": "npm",
      "worst_severity": "MODERATE",
      "kev": false,
      "advisory_count": 1,
      "last_seen": "2026-06-20",
      "advisories": [
        {
          "id": "GHSA-mxjx-28vx-xjjj",
          "cve_id": "GHSA-mxjx-28vx-xjjj",
          "ghsa_id": "GHSA-mxjx-28vx-xjjj",
          "title": "Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions",
          "severity": "MODERATE",
          "kev": false,
          "cvss": "5.9",
          "vulnerable_range": ">= 5.0.0, <= 5.12.1",
          "fixed": "5.12.2",
          "source_url": "https://github.com/advisories/GHSA-mxjx-28vx-xjjj",
          "report_id": "fd8d5ffe-b598-44e2-8f5e-3f873b9f88c2",
          "date": "2026-06-20T05:31:47.697611+00:00"
        }
      ],
      "slug": "network-ai"
    }
  ]
}
