24h | 7d | 30d

CVE-2026-41316

Overview

  • ruby
  • erb
24 Apr 2026
Published
25 Apr 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.11%
KEV

Description

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture fallback
Vito Botta @vitobotta

Ruby 4.0.3 shipped with a single change: CVE-2026-41316 in ERB. Code injection via untrusted template input. Most Rails shops are still on 3.4 while the 4.0 series gets bimonthly patches. 3.2 went EOL in March. - ruby-lang.org/en/news/2026/04/

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-7446

Overview

  • VetCoders
  • mcp-server-semgrep
30 Apr 2026
Published
30 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
1.07%
KEV

Description

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture fallback
Vito Botta @vitobotta

Command injection in MCP servers. Not surprised. CVE-2026-7446 hits mcp-server-semgrep, and CVE-2026-7416 hits xcode-mcp-server.

Both let remote attackers inject OS commands with no auth needed. The attack surface on MCP servers keeps growing, and most of these community-built tools were never designed with security in mind. mcp-server-semgrep has a fix in v1.0.1, but who's checking their MCP server versions? Nobody. That's the problem.

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 0
  • 0
  • 23h ago

CVE-2026-7416

Overview

  • PolarVista
  • xcode-mcp-server
29 Apr 2026
Published
30 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.25%
KEV

Description

A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture fallback
Vito Botta @vitobotta

Command injection in MCP servers. Not surprised. CVE-2026-7446 hits mcp-server-semgrep, and CVE-2026-7416 hits xcode-mcp-server.

Both let remote attackers inject OS commands with no auth needed. The attack surface on MCP servers keeps growing, and most of these community-built tools were never designed with security in mind. mcp-server-semgrep has a fix in v1.0.1, but who's checking their MCP server versions? Nobody. That's the problem.

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 0
  • 0
  • 23h ago
Showing 21 to 23 of 23 CVEs