Dismissed
(no matching packages found)
Permalink
CVE-2026-58446
6.9 MEDIUM
-
CVSS version (CVSS): 4.0
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Attack Requirement (AT): None (N)
-
Privileges Required (PR): None (N)
-
User Interaction (UI): None (N)
-
Vulnerable System Impact Confidentiality (VC): None (N)
-
Vulnerable System Impact Integrity (VI): Low (L)
-
Vulnerable System Impact Availability (VA): Low (L)
-
Subsequent System Impact Confidentiality (SC): None (N)
-
Subsequent System Impact Integrity (SI): None (N)
-
Subsequent System Impact Availability (SA): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Attack Requirement (MAT): None (N)
-
Modified Privileges Required (MPR): None (N)
-
Modified User Interaction (MUI): None (N)
-
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
-
Modified Vulnerable System Impact Integrity (MVI): Low (L)
-
Modified Vulnerable System Impact Availability (MVA): Low (L)
-
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
-
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
-
Modified Subsequent System Impact Availability (MSA): Negligible (N)
-
Safety (S): Not Defined (X)
-
Automatable (AU): Not Defined (X)
-
Recovery (R): Not Defined (X)
-
Value Density (V): Not Defined (X)
-
Vulnerability Response Effort (RE): Not Defined (X)
-
Provider Urgency (U): Not Defined (X)
-
Confidentiality Req. (CR): Not Defined (X)
-
Integrity Req. (IR): Not Defined (X)
-
Availability Req. (AR): Not Defined (X)
-
Exploit Maturity (E): Not Defined (X)
created
2 weeks, 2 days ago
Activity log
-
Created & dismissed (no matching packages found) suggestion
2 weeks, 2 days ago
Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint
Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth_request gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generate_presentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled).