| CVE-2026-32173 | Azure SRE Agent Authentication Bypass Enables Unauthenticated Info Disclosure azuresre-agent | high | 8.6 | Microsoft Azure SRE Agent
unspecified | Apr 3, 2026 |
| CVE-2026-34159 | llama.cpp RPC Deserialization Bypass Enables Unauthenticated RCE llama.cppinference-engine | critical | 9.8 | llama.cpp
< b8492 | Apr 1, 2026 |
| CVE-2026-34742 | MCP Go SDK DNS Rebinding Allows Malicious Websites to Invoke Local Agent Tools mcpgo-sdk | high | N/A | Model Context Protocol Go SDK
< 1.4.0 | Apr 1, 2026 |
| TH-10 | Axios npm Supply Chain Attack — Cross-Platform RAT via Postinstall Script supply-chainnpm | critical | N/A | axios (npm)
malicious versions published 2026-03-31 00:21–03:15 UTC | Mar 31, 2026 |
| TH-05 | ChatGPT Code Execution Runtime — Hidden DNS Outbound Channel Enables Data Exfiltration chatgptdata-exfiltration | high | N/A | OpenAI ChatGPT (Code Execution / Data Analysis runtime)
< 2026-02-20 | Mar 30, 2026 |
| TH-04 | OpenAI Codex Command Injection via Branch Name — GitHub Token Theft ai-coding-agentcommand-injection | high | N/A | OpenAI Codex
< Feb 5 2026 (web, SDK, IDE integrations) | Mar 30, 2026 |
| CVE-2026-32922 | OpenClaw Token Scope Bypass Allows Unauthenticated Privilege Escalation to Admin RCE openclawprivilege-escalation | critical | 9.9 | OpenClaw
< 2026.3.11 | Mar 29, 2026 |
| CVE-2026-27893 | vLLM RCE via Hardcoded trust_remote_code Override vllminference | high | 8.8 | vLLM
>= 0.10.1, < 0.18.0 | Mar 27, 2026 |
| CVE-2026-33989 | Path Traversal in mobile-mcp Allows Arbitrary File Write via Screenshot Tools mcpagentic-security | high | 8.1 | @mobilenext/mobile-mcp
< 0.0.49 | Mar 27, 2026 |
| CVE-2026-32628 | AnythingLLM SQL Injection in Built-in SQL Agent Plugin sql-injectionagentic-security | high | 8.8 | AnythingLLM
≤ 1.11.1 | Mar 26, 2026 |
| TH-03 | Azure MCP Server RCE Enables Full Entra ID / Cloud Tenant Takeover mcpazure | critical | N/A | Azure MCP Server
Streamable HTTP/SSE transport mode (all versions prior to patch) | Mar 26, 2026 |
| CVE-2026-23744 | MCPJam Inspector RCE via Unauthenticated MCP Server Installation mcpagentic-security | high | N/A | MCPJam Inspector
≤ 1.4.2 | Mar 25, 2026 |
| TH-02 | TeamPCP Backdoors LiteLLM via Trivy-Stolen CI/CD Credentials — 3.4M Daily Downloads, LLM API Keys Targeted litellmsupply-chain | high | N/A | LiteLLM
1.82.7, 1.82.8 | Mar 24, 2026 |
| CVE-2026-33010 | mcp-memory-service Wildcard CORS Lets Any Website Steal, Modify, or Delete Agent Memories mcpagentic-security | high | 8.1 | mcp-memory-service
< 10.25.1 | Mar 20, 2026 |
| CVE-2026-33068 | Claude Code Workspace Trust Dialog Bypassed by Malicious Repository Settings File claude-codeagentic-security | high | 7.7 | Claude Code CLI
< 2.1.53 | Mar 20, 2026 |
| CVE-2026-25536 | MCP TypeScript SDK Cross-Client Response Data Leak in Shared Server Deployments mcpagentic-security | high | 8.1 | @modelcontextprotocol/sdk (TypeScript)
1.10.0 – 1.25.3 | Mar 17, 2026 |
| CVE-2026-33017 | Langflow Unauthenticated RCE via Public Flow Build Endpoint — Exploited in 20 Hours langflowagentic-security | critical | 9.3 | Langflow
<= 1.8.1 | Mar 17, 2026 |
| CVE-2026-4270 | AWS API MCP Server File Access Restriction Bypass mcpagentic-security | high | N/A | AWS API MCP Server (awslabs.aws-api-mcp-server)
>= 0.2.14, < 1.3.9 | Mar 16, 2026 |
| CVE-2026-32617 | AnythingLLM: No Authentication on HTTP Endpoints and Agent WebSocket by Default llm-frameworkauthentication-bypass | high | N/A | AnythingLLM (Mintplex-Labs)
≤ 1.11.1 | Mar 14, 2026 |
| CVE-2026-3059 | Unauthenticated RCE in SGLang LLM Serving Framework via Pickle Deserialization llm-infrastructuredeserialization | critical | N/A | SGLang
< 0.4.6.post1 | Mar 12, 2026 |
| CVE-2026-3060 | SGLang Encoder Disaggregation RCE via Unauthenticated Pickle Deserialization llm-servingpickle | critical | 9.8 | SGLang LLM Serving Framework
< unpatched (no official fix at time of publication) | Mar 12, 2026 |
| CVE-2026-32247 | Graphiti Cypher Injection via LLM-Controlled Search Filters mcpagentic-security | high | N/A | Graphiti (graphiti-core)
< 0.28.2 | Mar 12, 2026 |
| CVE-2026-27826 | Unauthenticated SSRF in mcp-atlassian via Custom Header Injection mcpatlassian | high | 8.5 | mcp-atlassian
< patched | Mar 11, 2026 |
| CVE-2026-31829 | SSRF in Flowise AgentFlow HTTP Node Enables Internal Network Pivoting flowiseagent-orchestration | high | N/A | Flowise
< patched | Mar 11, 2026 |
| CVE-2026-26030 | Critical RCE in Microsoft Semantic Kernel Python SDK via Malicious Filter Expressions semantic-kernelagentic-security | critical | 9.8 | Microsoft Semantic Kernel Python SDK
< patched March 2026 release | Mar 10, 2026 |
| CVE-2026-26118 | Azure MCP Server SSRF Enables Token Theft and Privilege Escalation azuremcp | high | 8.8 | Azure MCP Server
< March 2026 patched release | Mar 10, 2026 |
| CVE-2026-26144 | Microsoft Excel XSS Enables Zero-Click Silent Data Exfiltration via Copilot Agent copilotexcel | high | 7.5 | Microsoft Excel (with Copilot Agent mode)
Microsoft Excel (pre-March 2026 Patch Tuesday) | Mar 10, 2026 |
| CVE-2026-30856 | Tool Execution Hijacking and Indirect Prompt Injection in Tencent WeKnora mcptool-hijacking | high | N/A | Tencent WeKnora
< 0.3.0 | Mar 7, 2026 |
| CVE-2026-29783 | GitHub Copilot CLI Shell Expansion Bypass Enables Arbitrary Code Execution copilotshell | high | N/A | GitHub Copilot CLI
< 1.0.0 (patched build March 2026) | Mar 6, 2026 |
| TH-01 | Malicious AI Browser Extensions Harvest LLM Chat Histories at Enterprise Scale supply-chainagentic-security | high | N/A | Chromium-based AI assistant browser extensions (ChatGPT, DeepSeek sidebars)
N/A — supply chain campaign | Mar 5, 2026 |
| CVE-2025-59536 | Claude Code MCP Consent Bypass — Repository Config Executes Before User Trust claude-codemcp | high | 8.7 | Anthropic Claude Code
< patched (Feb 2026) | Feb 28, 2026 |
| CVE-2026-21852 | Claude Code API Key Theft via Malicious Repo — Zero Interaction Required claude-codemcp | critical | N/A | Anthropic Claude Code
< patched (Feb 2026) | Feb 28, 2026 |
| CVE-2026-27825 | MCP SDK Remote Code Execution via Malformed Tool Response mcpremote-code-execution | critical | 9.8 | MCP SDK
<=1.2.3 | Feb 28, 2026 |
| CVE-2026-27896 | MCP Go SDK Case-Insensitive JSON Parsing Allows Security Control Bypass mcpagentic-security | high | 7.5 | Model Context Protocol (MCP) Go SDK
< patched release | Feb 28, 2026 |
| CVE-2026-27966 | Langflow CSV Agent Node Executes LLM-Controlled Code Without Sandboxing — Full Server RCE langflowrce | critical | 10.0 | Langflow (CSV Agent node)
< patched (Feb 2026) | Feb 25, 2026 |