| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41182 | LangSmith SDK: Streaming token events bypass output redaction | langchain-ai | langsmith-sdk | Medium | 5.3 | 2026-04-23 00:14:21 | Deep Dive |
| CVE-2026-6550 | Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python | AWS | AWS Encryption SDK for Python | Medium | 4.7 | 2026-04-20 19:20:23 | Deep Dive |
| CVE-2026-27258 | DNG SDK | Out-of-bounds Write (CWE-787) | Adobe | DNG SDK | Medium | 5.5 | 2026-04-14 17:03:27 | Deep Dive |
| CVE-2026-40190 | LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` | langchain-ai | langsmith-sdk | Medium | 5.6 | 2026-04-10 19:47:58 | Deep Dive |
| CVE-2026-40070 | bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) | sgbett | bsv-ruby-sdk | High | 8.1 | 2026-04-09 17:26:51 | Deep Dive |
| CVE-2026-40069 | bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts | sgbett | bsv-ruby-sdk | High | 7.5 | 2026-04-09 17:22:28 | Deep Dive |
| CVE-2026-39885 | FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications | agentfront | frontmcp | High | 7.5 | 2026-04-08 20:34:21 | Deep Dive |
| CVE-2026-35568 | MCP Java-SDK has a DNS Rebinding Vulnerability | modelcontextprotocol | java-sdk | - | - | 2026-04-07 21:06:10 | Deep Dive |
| CVE-2026-39371 | RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests | redwoodjs | sdk | High | 8.1 | 2026-04-07 19:28:31 | Deep Dive |
| CVE-2026-35022 | Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper | Anthropic | Claude Code | Critical | 9.8 | 2026-04-06 18:59:30 | Deep Dive |
| CVE-2026-35021 | Anthropic Claude Code & Agent SDK OS Command Injection via promptEditor.ts | Anthropic | Claude Code | High | 7.8 | 2026-04-06 18:59:07 | Deep Dive |
| CVE-2026-35020 | Anthropic Claude Code & Agent SDK OS Command Injection via TERMINAL Environment Variable | Anthropic | Claude Code | High | 8.4 | 2026-04-06 18:58:41 | Deep Dive |
| CVE-2026-34742 | Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost | modelcontextprotocol | go-sdk | - | - | 2026-04-02 18:32:35 | Deep Dive |
| CVE-2026-26927 | URL (HTTP Origin) call location spoofing in Szafir SDK Web | Krajowa Izba Rozliczeniowa | Szafir SDK Web | - | - | 2026-04-02 14:01:39 | Deep Dive |
| CVE-2026-34451 | Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories | anthropics | anthropic-sdk-typescript | 中危 | - | 2026-03-31 21:35:21 | Deep Dive |
| CVE-2026-34450 | Claude SDK for Python: Insecure Default File Permissions in Local Filesystem Memory Tool | anthropics | anthropic-sdk-python | 中危 | - | 2026-03-31 21:32:54 | Deep Dive |
| CVE-2026-34452 | Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape | anthropics | anthropic-sdk-python | 中危 | - | 2026-03-31 21:32:38 | Deep Dive |
| CVE-2026-34237 | MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) | modelcontextprotocol | java-sdk | Medium | 6.1 | 2026-03-31 15:40:01 | Deep Dive |
| CVE-2026-33946 | MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay | modelcontextprotocol | ruby-sdk | 中危 | - | 2026-03-27 21:20:08 | Deep Dive |
| CVE-2026-33252 | MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion | modelcontextprotocol | go-sdk | High | 7.1 | 2026-03-23 23:44:16 | Deep Dive |