Vendor
CVE-2026-57860 describes an arbitrary code execution vulnerability in ForgeCode, an AI pair-programming CLI tool, where it automatically loads and executes commands specified in a repository's `.mcp.json` file upon startup without user confirmation, allowing attackers to achieve initial access and persistence on developer machines when a user runs `forge` within an untrusted, cloned repository.