// #mcp

2 articles

A critical authentication bypass vulnerability (CVSS 9.8) in the nginx-ui web management interface allows any network attacker to take complete control of the underlying Nginx server without credentials. Over 2,600 instances are internet-exposed and the flaw is being actively exploited. Update to version 2.3.4 immediately.

Apr 16, 2026 #rce +7

💻 AppSec

CVSS 10.0 Flowise RCE Actively Exploited Across 12,000 Exposed Instances

CVE-2025-59528, a maximum-severity remote code execution vulnerability in the Flowise AI workflow platform, is being actively exploited in the wild. Over 12,000 internet-exposed instances remain unpatched, allowing attackers to execute arbitrary JavaScript on host machines and extract API keys, credentials, and configuration secrets.

Apr 7, 2026 #rce +6

Commentary tagged #mcp

Opinion

The Model Context Protocol's Security Debt Is Already Piling Up

MCP's rapid enterprise adoption has outpaced its security design. The protocol was built to solve an integration problem, not a security one — and the debt is accumulating faster than the ecosystem can audit it.

CipherWatch Editorial

Security Intelligence Platform

Apr 29, 2026

nginx-ui CVE-2026-33032 Actively Exploited — Unauthenticated Full Server Takeover

CVSS 10.0 Flowise RCE Actively Exploited Across 12,000 Exposed Instances

Commentary tagged #mcp

The Model Context Protocol's Security Debt Is Already Piling Up