The open-source supply chain's newest soft underbelly showed itself today: the AI agent stack. PraisonAI shipped six criticals this morning, and the First Watch fetch added Crawl4AI (a CVSS-10 unauthenticated RCE plus an arbitrary-file-write and an SSRF), the gemini-mcp-tool and netlicensing-mcp MCP servers, AgenticMail's unauthenticated "bridge-wake" that resumes a Claude Code session with permissions disabled, and a twenty-advisory OpenClaw batch. The recurring shape is an agent or MCP server that binds a powerful control plane to the network with no auth, or guards it with a check that's wired in the wrong order or routable around — prompt and message become the new unauthenticated request.
Off the agent beat, the genuinely in-the-wild story is the ShapedPlugin update-channel compromise: trojanised commercial WordPress plugins pushed to paying customers through the vendor's own auto-update server, the same un-auditable-vendor-pipeline trust failure as last week's OptinMonster/Icegram tampering. CISA also catalogued CVE-2026-20253 today — a missing-auth arbitrary file create/truncate in Splunk Enterprise with a three-day BOD 26-04 deadline. Rounding out the day: a web-token/jose crypto cluster (algorithm confusion, a PBES2 p2c DoS, an RSA1_5 padding oracle), a second Daytona isolation break (sandbox-to-host path traversal), and Budibase SQLi across all three SQL connectors. The bright spot is that almost all of the agent-framework issues are pre-exploitation disclosures with fixes available — this is a chance to harden before the campaigns arrive.
→ Operational priority for the night patch internet-reachable Splunk Enterprise (CVE-2026-20253, due 2026-06-21) and get every AI agent / MCP server off routable interfaces behind authenticating proxies before morning — Crawl4AI, gemini-mcp-tool, AgenticMail and OpenClaw included — then inventory ShapedPlugin plugins and freeze WordPress auto-updates.