CVE-2026-13524

Publié : 29 juin 2026

Modifié : 29 juin 2026

Score CVSS

5.6

MEDIUM

Description détaillée

A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Références et Patchs

https://github.com/CherryHQ/cherry-studio/https://github.com/CherryHQ/cherry-studio/issues/15372 https://github.com/CherryHQ/cherry-studio/pull/15388 https://vuldb.com/cve/CVE-2026-13524 https://vuldb.com/submit/840175 https://vuldb.com/vuln/374532 https://vuldb.com/vuln/374532/cti

Dernières Vulnérabilités

CVE-2026-9576

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

VOIR DÉTAILS

CVE-2026-56809

Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the web browser of the user who accesses Web Image Monitor.

VOIR DÉTAILS

CVE-2026-56808

DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who can log in to the web management console of the affected product.

VOIR DÉTAILS