A command injection vulnerability exists in the `prefect-github` integration for Prefect version 3.6.18. The `GitHubRepository` block's `reference` field is unsafely concatenated into a shell command string before parsing with `shlex.split()`, enabling arbitrary git option injection. Attackers with control over the `reference` parameter can inject flags such as `-c` to execute arbitrary commands, potentia [truncated]
CVE-2026-32871 is a critical vulnerability in the OpenAPIProvider of FastMCP, a Pythonic way to build MCP servers and clients. The vulnerability arises from the _build_url() method in the RequestDirector class, which fails to URL-encode path parameters when constructing HTTP requests to the backend service. This oversight enables attackers to perform path traversal attacks by manipulating path parameters, [truncated]