{"vulnerability": "cve-2026-4255", "sightings": [{"uuid": "149ad836-05de-4629-954e-a5628480a042", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42556", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mleultxumj2z", "content": "\ud83d\udfe0 CVE-2026-42556 - High (8.9)\n\nPostiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any a...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42556/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-08T23:20:15.909992Z"}, {"uuid": "ff0fb7ea-ce9a-4360-a0c5-b6fc891cf3e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-4255", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116237679238327076", "content": "", "creation_timestamp": "2026-03-16T07:30:38.099563Z"}, {"uuid": "ca2d1c28-b775-4f7b-a2f2-dd990536b1e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42556", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlf3rb64qt2e", "content": "CVE-2026-42556 - Postiz stored XSS in public preview page\nCVE ID : CVE-2026-42556\n \n Published : May 8, 2026, 11:16 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user ...", "creation_timestamp": "2026-05-09T01:28:33.040247Z"}, {"uuid": "a45a913a-3437-455e-bded-0118438c596b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42559", "type": "seen", "source": "https://gist.github.com/alon710/1478335359dc82e8637524c3acdbcdae", "content": "# GHSA-FVH2-GM75-J4J7: CVE-2026-42559: DNS Rebinding and CSRF in Model Context Protocol (MCP) HTTP Transport\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/GHSA-FVH2-GM75-J4J7\n\n## Summary\nThe Model Context Protocol (MCP) Rust SDK (`rmcp`), a transitive dependency of the `dynoxide` database proxy, contains a high-severity vulnerability in its streamable HTTP server transport. The component fails to properly validate incoming HTTP `Host` headers, permitting DNS rebinding and Cross-Origin Request Forgery (CSRF) attacks against locally running database proxies.\n\n## TL;DR\nA missing Host header validation in the rmcp HTTP transport allows attackers to execute arbitrary MCP tools on local dynoxide instances via DNS rebinding, leading to unauthenticated local database access.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CVSS Score**: 8.8\n- **EPSS Score**: 0.00018\n- **CWE ID**: CWE-346, CWE-350\n- **Attack Vector**: Network (DNS Rebinding)\n- **Exploit Status**: Proof of Concept\n- **Impact**: Data Exfiltration and Manipulation\n\n## Affected Systems\n\n- dynoxide-rs (crates.io)\n- dynoxide (npm)\n- rmcp (Model Context Protocol Rust SDK)\n- **dynoxide**: 0.9.3 - 0.9.12 (Fixed in: `0.9.13`)\n- **rmcp**: < 1.4.0 (Fixed in: `1.4.0`)\n\n## Mitigation\n\n- Upgrade the dynoxide binary to version 0.9.13 or later.\n- Upgrade the rmcp crate dependency to version 1.4.0 or later.\n- Disable the HTTP transport by using the default stdio transport (dynoxide mcp without --http).\n\n**Remediation Steps:**\n1. Identify all local installations of dynoxide.\n2. Update the dynoxide package using cargo install dynoxide-rs --force or npm update dynoxide.\n3. Verify the version by running dynoxide --version.\n4. Ensure start scripts do not include the --http flag if using older versions.\n\n## References\n\n- [NVD CVE Record: CVE-2026-42559](https://nvd.nist.gov/vuln/detail/CVE-2026-42559)\n- [RustSec Advisory: RUSTSEC-2026-0140](https://rustsec.org/advisories/RUSTSEC-2026-0140.html)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-FVH2-GM75-J4J7) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T17:40:50.000000Z"}, {"uuid": "9120ab1a-c878-4577-b728-290540f5a4f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42555", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mm2tm4nnz62z", "content": "\ud83d\udd34 CVE-2026-42555 - Critical (9.1)\n\nValtimo is an open-source business process automation platform. com.ritense.valtimo:document from...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42555/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-17T17:01:05.265395Z"}, {"uuid": "b42e01c7-7021-478c-93ff-5d7778a07c1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42554", "type": "published-proof-of-concept", "source": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv", "content": "", "creation_timestamp": "2026-04-25T13:08:32.000000Z"}, {"uuid": "003666cd-5d5c-4542-bd09-f1e87f06cdba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42551", "type": "published-proof-of-concept", "source": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g", "content": "", "creation_timestamp": "2026-04-29T13:03:34.000000Z"}, {"uuid": "99097ba9-cd5a-4b42-b564-3bcc04c982c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42552", "type": "published-proof-of-concept", "source": "https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85", "content": "", "creation_timestamp": "2026-04-29T13:02:57.000000Z"}, {"uuid": "0e956f75-9b9b-4e9b-bd81-eca486711489", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-42550", "type": "published-proof-of-concept", "source": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr", "content": "", "creation_timestamp": "2026-04-29T13:03:28.000000Z"}]}