6 CRIT · 1 HIGH · 3 INFO · THREAT RED · 10 items · Generated in 256s
Exposes HTTP transport without authentication, allowing unauthenticated clients to invoke master-only operations
Attacker can inject arbitrary Stata commands by crafting a malicious log_file_name
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration, privilege escalation attack possible
vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model
unauthenticated HTTP requests can invoke MCP tools without authentication
Early access to vulnerabilities for patching
MCP token holder can read any file in shared storage, including attachments from other bases and workspaces
New platform for bug bounty in AI/ML libraries
security risks in AI systems
Claude Fable is using Python to iterate through all available windows on the machine, potentially accessing sensitive information