Vendor

Jovancoding

3 briefs RSS

Network-AI: Improper Neutralization of Special Elements used in an OS Command (CVE-2026-54051)

The `network-ai` package, versions prior to 5.9.1, is vulnerable to a critical command injection flaw (CVE-2026-54051) where the `ShellExecutor` component fails to properly neutralize shell metacharacters when processing commands, allowing an attacker to achieve arbitrary command execution as the orchestrator process by bypassing allowlist controls.

network-ai command-injection rce node.js linux macos software-supply-chain

2r 1t 1d ago

high advisory

Network-AI Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret (CVE-2026-46701)

2 rules 1 TTP

Network-AI is vulnerable to an unauthenticated cross-origin attack due to an empty default secret and permissive CORS configuration, allowing an attacker to lure a user to a malicious web page and invoke MCP tools like config_set, agent_spawn, and blackboard_write against a default-configured localhost server.

Network-AI cve cve-2026-46701 network cross-origin authentication bypass

2r 1t 4w ago

critical advisory

Network-AI Unauthenticated Access to MCP HTTP Endpoint

2 rules 1 TTP 2 IOCs

Network-AI is vulnerable to missing authentication on the MCP HTTP endpoint, allowing unauthenticated privileged tool calls that could lead to configuration changes and agent manipulation.

Network-AI cwe-306 authentication-bypass

2r 1t 2i Jan 9, 2024