Skip to content

ndjordjevic/pinrag

v0.9.8 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 8 known CVEs

Topics

chromadb cursor discord github-repos langchain mcp
+8 more
mcp-server model-context-protocol pdf pypi python llm vscode youtube

Affected surfaces

auth deps

Summary

AI summary

Security hardening: enforced HTTP/HTTPS GitHub URL validation, updated dependencies to fix multiple CVEs.

Full changelog

v0.9.8 — Security hardening

Address all Medium findings from MCP Marketplace security scan.

Security

  • GitHub URL validation — Rewrote _is_github_url to enforce scheme whitelist (http/https only), normalize the host to github.com, reject path traversal (..), and validate owner/repo segments against GitHub's naming rules.
  • pypdf ≥ 6.9.1 — Fixes CVE-2026-33123, CVE-2026-31826, CVE-2026-28351, CVE-2026-27888, CVE-2026-28804 (RunLengthDecode, FlateDecode XFA, ASCIIHexDecode RAM exhaustion and array-stream decoding).
  • requests ≥ 2.32.4 — Fixes CVE-2024-47081 (.netrc credential leak via malicious URLs).
  • yt-dlp ≥ 2026.3.17 — Fixes CVE-2023-46121 (proxy injection) and CVE-2023-35934 (cookie leak on redirect).

Package metadata

  • [project.urls] — Added Homepage and Repository links so PyPI metadata points back to the GitHub repo (resolves "PyPI package has no GitHub URL" finding).

Docs

  • README — Added "Authentication and rate limits" paragraph documenting unauthenticated vs GITHUB_TOKEN usage for GitHub indexing.
  • Notes — Updated Cursor Directory and plugin bundle references in strategy docs.

Security Fixes

  • CVE-2026-33123, CVE-2026-31826, CVE-2026-28351, CVE-2026-27888, CVE-2026-28804 — fixed in pypdf ≥ 6.9.1
  • CVE-2024-47081 — fixed in requests ≥ 2.32.4 (netrc credential leak)
  • CVE-2023-46121 and CVE-2023-35934 — fixed in yt-dlp ≥ 2026.3.17 (proxy injection, cookie leak)
  • CVE-2026-31826
  • CVE-2026-28351
  • CVE-2026-27888
  • CVE-2026-28804
  • CVE-2023-35934
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ndjordjevic/pinrag

Get notified when new releases ship.

Sign up free

About ndjordjevic/pinrag

RAG for PDFs, YouTube, GitHub repos, Discord exports; index documents and query with citations.

All releases →

Related context

Beta — feedback welcome: [email protected]