PatchSiren

tailcallhq CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH tailcallhq CVE published 2026-07-17

CVE-2026-57860

CVE-2026-57860: ForgeCode, an AI pair-programming CLI, executes MCP servers defined in a repository's .mcp.json file without user confirmation. A malicious repository can supply a crafted .mcp.json file that specifies arbitrary command and args values, leading to arbitrary code execution when a user runs the forge CLI inside a cloned untrusted repository. This vulnerability provides a reliable initial-acc [truncated]