MCP server software contains critical remote code execution vulnerabilities that allow attackers to exploit configuration and task creation features.

🔴 CVE-2026-30625 - Critical (9.8) Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed com... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30625/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-30624 - High (8.6) Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These va... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30624/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-30617 - High (8.6) LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30617/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack