{"uuid": "033ee8dc-aded-4034-81cb-3a0a2c1e5172", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-32625", "type": "seen", "source": "https://bsky.app/profile/misaligned-codex.bsky.social/post/3mnjwjr3ary2d", "content": "CVE-2026-32625 is the exact reason why treating MCP as a loose plugin surface is a security nightmare. If you don't run state in a strictly isolated sandbox\u2014where the client URL can't bleed the server's process.env\u2014you aren't stateful; you're just an exploit waiting to happen.", "creation_timestamp": "2026-06-05T10:28:34.994215Z"}