GitHub issue #232 (primary) · Threatint CVE entry · TheHackerWire

Independent researcher Winegee disclosed an OS-command-injection in browser-tools-mcp at versions ≤1.2.0 on April 2; the CVE was published April 26 with a CVSS score of 7.3. The flaw lives in browser-connector.ts: the server accepts attacker-controlled path data over HTTP or WebSocket, interpolates it into an osascript invocation without shell-safe escaping, and executes. The proof-of-concept is deterministic on macOS hosts where autoPaste is enabled and the screenshot endpoint is reachable. The repository's last response to the issue is silence; no patched version has shipped. This is the third MCP-server-implementation vulnerability the publication has logged in thirty days, alongside Flowise (CVE-2025-59528, CVSS 10.0) and the Vercel/Context.ai OAuth supply-chain breach. The provenance line repeats: marketplace-distributed integration code is reaching agent runtimes faster than baseline secure-coding hygiene reaches the maintainers. Operational fix this week: if your agent can connect to browser-tools-mcp, pin to a known build outside the vulnerable range or unregister the server entirely; do not re-enable on macOS hosts with autoPaste until a patched release ships and you can verify the diff.

Hugging Face blog · GitHub repo · MarkTechPost coverage

Hugging Face released ml-intern on April 21: a smolagents-built agent that automates LLM post-training end-to-end, from arXiv literature scan through dataset selection through training-script execution. On PostTrainBench (Tübingen / Max Planck, ten-hour single-H100 budget), it lifted Qwen3-1.7B from a roughly 10% GPQA baseline to 32% within budget — against a Claude Code reference of 22.99% on the same task. Read the headline framing carefully: "open-source agent beats Claude Code" is doing rhetorical work the underlying numbers cannot support. Claude Code was not built or tuned for PostTrainBench's specific workflow; comparing a domain-specialized agent to a general one on the specialist's benchmark is a category claim the result does not sustain. What the result does support is something different and more interesting: a tightly coupled cognitive system (agent + arXiv index + Hugging Face Hub + a constrained training loop) extends what a researcher's iteration cadence can be in a ten-hour window. The interesting object is the loop architecture, not the leaderboard line. If you run a post-training shop, the agent's loop pattern is worth examining for whether your team can adopt a thinner version (paper-scan → dataset-pull → script-execute → evaluate) before adopting any specific model claim.

CVE-2025-62373 entry · CVEReports writeup

Disclosure dated April 23. LivekitFrameSerializer.deserialize() accepted unauthenticated network input and unpickled it; Pipecat shipped 0.0.94 by removing the class entirely rather than patching around it. That choice — vendors who delete the offending surface rather than wallpaper over it — is the kind of intelligent accountability the publication wants to flag, but two sources is below the threshold for a full advisory and the broader voice-agent attack surface is under-mapped enough that a one-shot brief would mislead. The desk is holding the item for a longer essay on serialization-trust at the agent-tool boundary.