Team-Off-course/MCP-Server-Vuln-Analysis

Releases0

Stars5

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-66689 ↗	Jan 12, 2026Monday, 12 January 2026, 17:15	6.5 MEDIUM	—
A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths.
CVE-2025-65512 ↗	Dec 10, 2025Wednesday, 10 December 2025, 21:16	7.5 HIGH	—
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before. This vulnerability allows an attacker to bypass private IP restrictions through hostname-based bypass and HTTP redirect chains, enabling access to internal network services.
CVE-2025-65513 ↗	Dec 9, 2025Tuesday, 9 December 2025, 22:16	7.5 HIGH	—
fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources.