Summary
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
References
Related vulnerabilities
All Supply chain →- HIGHGHSA-869J-R97X-HX2G
Anki's local HTTP server does not sufficiently validate requests
- HIGHGHSA-F4XH-W4CJ-QXQ8
LangSmith SDK TracingMiddleware: Arbitrary server-side file read
- HIGHGHSA-V3F4-W7R7-V3HM
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
- MEDIUMGHSA-JR33-MW75-7J8F
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
- HIGHGHSA-G5QX-H5F3-MP2F
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
- CRITICALGHSA-C55V-343G-5XFF
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs