CapitalGuard

Observatory threat wire

Known signals. Exact versions. Direct sources.

Vulnerabilities, platform security changes, and primary research that materially change an AI-agent security decision.

critical

CVE-2025-59944

Published 2025-10-03

Cursor sensitive-file protection bypass

Affected Cursor releases used case-sensitive checks around sensitive files, enabling a prompt-injection path to modify protected configuration on case-insensitive filesystems.

Affected

Cursor 1.6.23 and earlier.

Action

Update to Cursor 1.7 or later and review repository-controlled AI configuration before trust is granted.

high

CVE-2026-22708

Published 2026-01-14

Cursor terminal allowlist bypass

In a non-default Auto-Run plus Allowlist configuration, shell built-ins could alter environment variables without appearing in the command allowlist.

Affected

Cursor 2.2 and earlier in the affected configuration.

Action

Update to Cursor 2.3 or later and avoid treating command-name allowlists as a complete execution boundary.

high

CVE-2026-24887

Published 2026-02-03

Claude Code confirmation-prompt bypass

A command-parsing error could bypass the confirmation prompt and trigger an untrusted command when attacker-controlled content entered context.

Affected

Claude Code releases before 2.0.72.

Action

Update to 2.0.72 or later and keep untrusted repository content outside command-authorizing context.

high

CVE-2025-59532

Published 2025-09-22

Codex workspace sandbox-boundary bypass

Affected Codex releases could treat a model-generated working directory as the sandbox writable root, bypassing the intended workspace boundary.

Affected

Codex CLI 0.2.0 through 0.38.0; affected IDE extension releases before 0.4.12.

Action

Use Codex CLI 0.39.0 or later and IDE extension 0.4.12 or later, then verify the effective writable root before sensitive work.

high

CVE-2025-54073

Published 2025-07-18

MCP package-documentation server command injection

Unsanitized package arguments reached a shell command, creating a path from tool input or indirect prompt injection to command execution.

Affected

mcp-package-docs 0.1.27 and earlier.

Action

Update to 0.1.28 or later and use argument-safe process APIs rather than shell interpolation.

critical

CVE-2026-40576

Published 2026-04-12

Remote MCP spreadsheet server path traversal

Affected remote deployments failed to confine file paths to the configured spreadsheet directory, allowing arbitrary file read and write operations.

Affected

excel-mcp-server 0.1.7 and earlier.

Action

Update to 0.1.8 or later, bind remote services narrowly, authenticate requests, and validate resolved paths against the approved root.

informational

CGO-CHANGE-2026-06-09

Published 2026-06-09

GitHub adds security validation for third-party coding agents

GitHub made automatic CodeQL, dependency-advisory, and secret-scanning validation generally available for supported third-party coding-agent changes.

Affected

Supported GitHub agent workflows; coverage depends on repository and agent settings.

Action

Keep the validation enabled, but retain branch protection, review, and least-privilege controls around agent-generated changes.

informational

CGO-RESEARCH-2026-05

Published 2026-05-25

AgentSecBench formalizes three enforceable agent-security boundaries

The benchmark separates instruction integrity, retrieval confidentiality, and tool-use capability integrity instead of treating prompt text as an enforcement boundary.

Affected

Agentic systems that combine untrusted content, private context, and action-capable tools.

Action

Project trusted provenance, restrict capabilities before generation, and validate outputs before execution.

A known issue is a version check. Your real scope still needs a baseline.

Choose a License