The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20788-1 advisory.

    This update for mcphost fixes the following issues

    - CVE-2025-30153: github.com/getkin/kin-openapi/openapi3filter: Improper Handling of Highly Compressed     Data (Data       Amplification) in github.com/getkin/kin-openapi/openapi3filter (bsc#1264762).
    - CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected     message type in       response to a key listing or (bsc#1265274).
    - CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an     out of bounds       read (bsc#1265275).
    - CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory     consumption       (bsc#1253952).
    - CVE-2026-32285: github.com/buger/jsonparser: denial of service via malformed JSON input (bsc#1264759).
    - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2:
    path pseudo-       header (bsc#1260224).

    Changes for mcphost:

    - Updated to version 0.34.0
     * Features:
     - Upgrade charmbracelet libs to v2 (bubbletea, lipgloss, bubbles)
     - Add Google Vertex AI support for Claude models
     - Add new models.
     * Fixes:
     - Eliminate escape sequence leak from spinner tea.Program instances.
     - Fix anthropic api issue.
     - Convert JSON Schema draft-07 exclusive bounds to draft-04 format.
     * Upgrade all dependencies to latest versions, resolve security issues      and to obtain Go 1.26 compatibility.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-6c547e9f64 advisory.

    Update to upstream 1.5.0, fix CVE-2026-32285 and CVE-2026-34986

    ----

    Update to upstream 1.5.0-rc.2

    ----

    Update to upstream 1.5.0-rc.1


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-db5621b65e advisory.

    Update to upstream 1.5.0,  fix CVE-2026-32285 and CVE-2026-34986

    ----

    Update to upstream 1.5.0-rc.2

    ----

    Update to upstream 1.5.0-rc.1


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-d516d12934 advisory.

    Update to upstream 1.5.0, fix CVE-2026-32285 and CVE-2026-34986

    ----

    Update to upstream 1.5.0-rc.2

    ----

    Update to upstream 1.5.0-rc.1


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-6b87863841 advisory.

    Upstream release 2.98.0. https://github.com/jfrog/jfrog-cli/releases/tag/v2.98.0

    Resolves the following security issues:
    CVE-2025-11579     CVE-2025-66564     CVE-2026-23831     CVE-2026-23991     CVE-2026-23992     CVE-2026-24117     CVE-2026-24137     CVE-2026-24686     CVE-2026-32285     CVE-2026-33762     CVE-2026-34165     CVE-2026-34986

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1607 advisory.

    crypto/tls: handshake messages may be processed at the incorrect encryption level (CVE-2025-61730)

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the     returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of     this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem     without permitting reading or writing files outside the root. (CVE-2026-27139)

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS     if the meta tag also has an http-equiv attribute with the value refresh. A new GODEBUG setting has been     added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content     attribute which follow url= by setting htmlmetacontenturlescape=0. (CVE-2026-27142)

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the     chain contain a very large number of policy mappings, possibly causing denial of service. This only     affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots     CertPool, or in the system certificate pool. (CVE-2026-32281)

    On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress,     Chmod can operate on the target of the symlink, even when the target lies outside the root.
    (CVE-2026-32282)

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead     to a negative slice index and a runtime panic, allowing a denial of service attack. (CVE-2026-32285)

    Context was not properly tracked across template branches for JS template literals, leading to possibly     incorrect escaping of content. This could cause actions within JS template literals to be incorrectly     escaped, leading to XSS vulnerabilities. (CVE-2026-32289)

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass     resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too     lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash     (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests     to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated     the raw, non-canonical path string. Consequently, deny rules defined using canonical paths (starting     with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback allow     rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the     official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on     `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific deny rules     for canonical paths but allows other requests by default (a fallback allow rule). The vulnerability is     exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the     gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a     leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching     authorization interceptors or handlers with a non-canonical path string. While upgrading is the most     secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use     a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy     hardening. (CVE-2026-33186)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of cri-tools installed on the remote host is prior to 1.32.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3236 advisory.

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead     to a negative slice index and a runtime panic, allowing a denial of service attack. (CVE-2026-32285)

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass     resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too     lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash     (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests     to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated     the raw, non-canonical path string. Consequently, deny rules defined using canonical paths (starting     with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback allow     rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the     official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on     `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific deny rules     for canonical paths but allows other requests by default (a fallback allow rule). The vulnerability is     exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the     gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a     leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching     authorization interceptors or handlers with a non-canonical path string. While upgrading is the most     secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use     a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy     hardening. (CVE-2026-33186)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead     to a negative slice index and a runtime panic, allowing a denial of service attack. (CVE-2026-32285)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
316856	openSUSE 16 Security Update : mcphost (openSUSE-SU-2026:20788-1)	Nessus	SuSE Local Security Checks	critical
315123	Fedora 43 : apptainer (2026-6c547e9f64)	Nessus	Fedora Local Security Checks	high
315117	Fedora 42 : apptainer (2026-db5621b65e)	Nessus	Fedora Local Security Checks	high
315108	Fedora 44 : apptainer (2026-d516d12934)	Nessus	Fedora Local Security Checks	high
311385	Fedora 44 : jfrog-cli (2026-6b87863841)	Nessus	Fedora Local Security Checks	high
311301	Amazon Linux 2023 : rclone (ALAS2023-2026-1607)	Nessus	Amazon Linux Local Security Checks	medium
306302	Amazon Linux 2 : cri-tools, --advisory ALAS2-2026-3236 (ALAS-2026-3236)	Nessus	Amazon Linux Local Security Checks	critical
304167	Linux Distros Unpatched Vulnerability : CVE-2026-32285	Nessus	Misc.	high

Detections

Analytics

CVE-2026-32285

high

Tenable Plugins

critical

high

high

high

high

medium

critical

high