Threats Tagged 'cve-2026-11720'
View all threats tagged with 'cve-2026-11720'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cve-2026-11720'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-11720: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Google MCP Toolbox for Databases (googleapis/mcp-toolbox)CVE-2026-11720 0 A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets). Join the discussion | CVE Database V5 | 06/29/2026, 17:51:30 UTC Added: 06/29/2026, 18:06:31 UTC |
Showing 1 to 1 of 1 result