Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/mcp-memory-service@10.4.3
Typepypi
Namespace
Namemcp-memory-service
Version10.4.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.25.1
Latest_non_vulnerable_version10.25.1
Affected_by_vulnerabilities
0
url VCID-bg8q-4jsh-xff9
vulnerability_id VCID-bg8q-4jsh-xff9
summary 
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft
When the HTTP server is enabled (`MCP_HTTP_ENABLED=true`), the application configures FastAPI's CORSMiddleware with `allow_origins=['*']`, `allow_credentials=True`, `allow_methods=["*"]`, and `allow_headers=["*"]`. The wildcard `Access-Control-Allow-Origin: *` header permits any website to read API responses cross-origin. When combined with anonymous access (`MCP_ALLOW_ANONYMOUS_ACCESS=true`) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33010
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.05096
published_at 2026-06-06T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.05091
published_at 2026-06-09T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.05048
published_at 2026-06-08T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.05089
published_at 2026-06-07T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.05111
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33010
1
reference_url https://github.com/doobidoo/mcp-memory-service
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/doobidoo/mcp-memory-service
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33010
reference_id CVE-2026-33010
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33010
3
reference_url https://github.com/advisories/GHSA-g9rg-8vq5-mpwm
reference_id GHSA-g9rg-8vq5-mpwm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g9rg-8vq5-mpwm
4
reference_url https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-g9rg-8vq5-mpwm
reference_id GHSA-g9rg-8vq5-mpwm
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-20T21:28:21Z/
url https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-g9rg-8vq5-mpwm
fixed_packages
0
url pkg:pypi/mcp-memory-service@10.25.1
purl pkg:pypi/mcp-memory-service@10.25.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mcp-memory-service@10.25.1
aliases CVE-2026-33010, GHSA-g9rg-8vq5-mpwm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bg8q-4jsh-xff9
1
url VCID-dvvj-bk4g-bfd9
vulnerability_id VCID-dvvj-bk4g-bfd9
summary 
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint
The `/api/health/detailed` endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When `MCP_ALLOW_ANONYMOUS_ACCESS=true` is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default `0.0.0.0` binding, this exposes sensitive reconnaissance data to the entire network.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29787
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07304
published_at 2026-06-06T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07258
published_at 2026-06-09T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07246
published_at 2026-06-08T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07288
published_at 2026-06-07T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07299
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29787
1
reference_url https://github.com/doobidoo/mcp-memory-service
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/doobidoo/mcp-memory-service
2
reference_url https://github.com/doobidoo/mcp-memory-service/commit/18f4323ca92763196aa2922f691dfbeb6bd84e48
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:19:36Z/
url https://github.com/doobidoo/mcp-memory-service/commit/18f4323ca92763196aa2922f691dfbeb6bd84e48
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29787
reference_id CVE-2026-29787
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29787
4
reference_url https://github.com/advisories/GHSA-73hc-m4hx-79pj
reference_id GHSA-73hc-m4hx-79pj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-73hc-m4hx-79pj
5
reference_url https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-73hc-m4hx-79pj
reference_id GHSA-73hc-m4hx-79pj
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:19:36Z/
url https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-73hc-m4hx-79pj
fixed_packages
0
url pkg:pypi/mcp-memory-service@10.21.0
purl pkg:pypi/mcp-memory-service@10.21.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bg8q-4jsh-xff9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mcp-memory-service@10.21.0
aliases CVE-2026-29787, GHSA-73hc-m4hx-79pj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dvvj-bk4g-bfd9
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/mcp-memory-service@10.4.3