Skip to main content
CVE-2026-11624 CRITICAL PATCH Act Now

Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.

Information Disclosure Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-12183 CRITICAL Act Now

Remote unauthenticated authentication bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux allows any HTTP client to obtain administrator-level access by POSTing arbitrary credentials to /php/ajax-login.php, which unconditionally returns userid=1. Downstream privileged endpoints under /php/ajax-main.php and /modules/* fail to validate a server-side session, exposing full control over fuel dispensers, tank gauges, pricing, POS, bank terminals, and relays. No public exploit identified at time of analysis, but a public reference to a proof-of-concept repository (ciprobe/bukts_auth_bypass) suggests trivially reproducible exploitation against ICS/OT infrastructure.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-55662 CRITICAL Act Now

Divide-by-zero crash in GPAC's MP4Box tool allows denial of service when processing a crafted MP4 file containing a malformed Opus audio track header. The function gf_opus_parse_packet_header() in media_tools/av_parsers.c:11479 fails to validate that nb_frames is non-zero before performing arithmetic (max = header->nb_frames - 1), triggering a SIGFPE along the Opus dump path. A public proof-of-concept file is available, and no authentication or special privileges are required - only the ability to supply a crafted file to the tool. No confirmed active exploitation (not in CISA KEV); impact is limited to process crash with no code execution potential identified.

Microsoft Denial Of Service
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy