{"vulnerability": "cve-2026-4255", "sightings": [{"uuid": "9120ab1a-c878-4577-b728-290540f5a4f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42555", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mm2tm4nnz62z", "content": "\ud83d\udd34 CVE-2026-42555 - Critical (9.1)\n\nValtimo is an open-source business process automation platform. com.ritense.valtimo:document from...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42555/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-17T17:01:05.265395Z"}, {"uuid": "ca2d1c28-b775-4f7b-a2f2-dd990536b1e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42556", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlf3rb64qt2e", "content": "CVE-2026-42556 - Postiz stored XSS in public preview page\nCVE ID : CVE-2026-42556\n \n Published : May 8, 2026, 11:16 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user ...", "creation_timestamp": "2026-05-09T01:28:33.040247Z"}, {"uuid": "ff0fb7ea-ce9a-4360-a0c5-b6fc891cf3e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-4255", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116237679238327076", "content": "", "creation_timestamp": "2026-03-16T07:30:38.099563Z"}, {"uuid": "149ad836-05de-4629-954e-a5628480a042", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42556", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mleultxumj2z", "content": "\ud83d\udfe0 CVE-2026-42556 - High (8.9)\n\nPostiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any a...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42556/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-08T23:20:15.909992Z"}, {"uuid": "b42e01c7-7021-478c-93ff-5d7778a07c1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42554", "type": "published-proof-of-concept", "source": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv", "content": "", "creation_timestamp": "2026-04-25T13:08:32.000000Z"}, {"uuid": "a45a913a-3437-455e-bded-0118438c596b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42559", "type": "seen", "source": "https://gist.github.com/alon710/1478335359dc82e8637524c3acdbcdae", "content": "# GHSA-FVH2-GM75-J4J7: CVE-2026-42559: DNS Rebinding and CSRF in Model Context Protocol (MCP) HTTP Transport\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/GHSA-FVH2-GM75-J4J7\n\n## Summary\nThe Model Context Protocol (MCP) Rust SDK (`rmcp`), a transitive dependency of the `dynoxide` database proxy, contains a high-severity vulnerability in its streamable HTTP server transport. The component fails to properly validate incoming HTTP `Host` headers, permitting DNS rebinding and Cross-Origin Request Forgery (CSRF) attacks against locally running database proxies.\n\n## TL;DR\nA missing Host header validation in the rmcp HTTP transport allows attackers to execute arbitrary MCP tools on local dynoxide instances via DNS rebinding, leading to unauthenticated local database access.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CVSS Score**: 8.8\n- **EPSS Score**: 0.00018\n- **CWE ID**: CWE-346, CWE-350\n- **Attack Vector**: Network (DNS Rebinding)\n- **Exploit Status**: Proof of Concept\n- **Impact**: Data Exfiltration and Manipulation\n\n## Affected Systems\n\n- dynoxide-rs (crates.io)\n- dynoxide (npm)\n- rmcp (Model Context Protocol Rust SDK)\n- **dynoxide**: 0.9.3 - 0.9.12 (Fixed in: `0.9.13`)\n- **rmcp**: < 1.4.0 (Fixed in: `1.4.0`)\n\n## Mitigation\n\n- Upgrade the dynoxide binary to version 0.9.13 or later.\n- Upgrade the rmcp crate dependency to version 1.4.0 or later.\n- Disable the HTTP transport by using the default stdio transport (dynoxide mcp without --http).\n\n**Remediation Steps:**\n1. Identify all local installations of dynoxide.\n2. Update the dynoxide package using cargo install dynoxide-rs --force or npm update dynoxide.\n3. Verify the version by running dynoxide --version.\n4. Ensure start scripts do not include the --http flag if using older versions.\n\n## References\n\n- [NVD CVE Record: CVE-2026-42559](https://nvd.nist.gov/vuln/detail/CVE-2026-42559)\n- [RustSec Advisory: RUSTSEC-2026-0140](https://rustsec.org/advisories/RUSTSEC-2026-0140.html)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-FVH2-GM75-J4J7) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T17:40:50.000000Z"}, {"uuid": "003666cd-5d5c-4542-bd09-f1e87f06cdba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42551", "type": "published-proof-of-concept", "source": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g", "content": "", "creation_timestamp": "2026-04-29T13:03:34.000000Z"}, {"uuid": "99097ba9-cd5a-4b42-b564-3bcc04c982c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42552", "type": "published-proof-of-concept", "source": "https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85", "content": "", "creation_timestamp": "2026-04-29T13:02:57.000000Z"}, {"uuid": "0e956f75-9b9b-4e9b-bd81-eca486711489", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42550", "type": "published-proof-of-concept", "source": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr", "content": "", "creation_timestamp": "2026-04-29T13:03:28.000000Z"}, {"uuid": "40519821-f193-4327-aaa2-7b0ba1fa471a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42558", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mny4wzvgc72p", "content": "\ud83d\udfe0 CVE-2026-42558 - High (7.6)\n\nXibo is an open source digital signage platform with a web content management system and Windows ...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42558/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T02:00:40.157707Z"}, {"uuid": "16815e14-d9f5-48cb-a405-02c04352d0b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42558", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mny7yw76252o", "content": "Xibo CMS\uff084.4.2\u672a\u6e80\uff09\u306eStored XSS\u3068Iframe Sandbox escape\u306e\u8106\u5f31\u6027\u306b\u3088\u308a\u3001DataSet\u6a29\u9650\u3092\u6301\u3064\u30e6\u30fc\u30b6\u30fc\u304cXSS\u3092\u5b9f\u884c\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002\nCVE-2026-42558 CVSS 7.6 | HIGH", "creation_timestamp": "2026-06-11T02:55:23.691274Z"}]}