Moshe Siman Tov Bustan(@MosheTov ):Flowise | CVE-2026-40933 | CVSS 10.0 Upsonic | CVE-2026-30625 | CVSS 9.8 As part of our MCP Supply Chain Vulnerability report which we published last week, we wrote a detailed explanation about our MCP STDIO input sanitization bypass techniques, and what can security engineers learn and implement from our research. Both platform implemented the recommended approach by Anthropic: input sanitization. But both missed a core behaviour of NPX - which allows the ability to pass '-c' and an arbitrary command, allowing direct command execution on the underlying machine. Even though special characters weren't allowed, passing '-' wasn't blocked as it's a valid character in most use cases. The best case for engineers is not to try and fight any user input - but to execute the MCP STDIO server inside an isolated sandbox. This would allow command execution, but removes the ability to read sensitive information and perform lateral movement. Read the full details in our blog -

2026.04.27 19:37

Flowise | CVE-2026-40933 | CVSS 10.0 Upsonic | CVE-2026-30625 | CVSS 9.8 As part of our MCP Supply Chain Vulnerability report which we published last week, we wrote a detailed explanation about our MCP STDIO input sanitization bypass techniques, and what can security engineers learn and implement from our research. Both platform implemented the recommended approach by Anthropic: input sanitization. But both missed a core behaviour of NPX - which allows the ability to pass '-c' and an arbitrary command, allowing direct command execution on the underlying machine. Even though special characters weren't allowed, passing '-' wasn't blocked as it's a valid character in most use cases. The best case for engineers is not to try and fight any user input - but to execute the MCP STDIO server inside an isolated sandbox. This would allow command execution, but removes the ability to read sensitive information and perform lateral movement. Read the full details in our blog -