We found a 1-click RCE in Block's Goose AI agent - any website could silently execute commands on your machine.
How Missing Index Checks Allows Full Proof Forgery
How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More
