Home on Jashid Sany

mcp-recon: A Reconnaissance Scanner for MCP Servers

Thu, 23 Apr 2026 00:00:00 +0000

An open-source CLI that fingerprints Model Context Protocol servers and flags behavior patterns associated with publicly disclosed vulnerability classes. Think nmap for MCP.

CVE-Dedup-Checker: Parallel Duplicate Checks Across Free Vulnerability Databases

Sun, 19 Apr 2026 00:00:00 +0000

An open-source CLI that queries NVD, OSV, GitHub Advisories, WPScan, Patchstack, CISA KEV, and Exploit-DB in parallel so you can check for duplicate findings before submitting a CVE.

Zomato MCP: OAuth Scope Parameter Silently Rewritten, Not Enforced

Sun, 19 Apr 2026 00:00:00 +0000

The OAuth server fronting Zomato's MCP endpoint rewrites the scope request and issues tokens labeled 'offline openid' that nonetheless call every MCP tool, including checkout_cart. The advertised mcp:tools / mcp:resources / mcp:prompts scopes are never enforced at the application layer.

Claude Code Finding 5: Permission Deny Bypass via Script Write and Execute

Tue, 14 Apr 2026 00:00:00 +0000

Claude Code's Bash permission deny rules can be completely bypassed by writing denied commands into a script file and executing it. The parser evaluates only the script path, not its contents. Five explicitly denied commands executed and exfiltrated data to an external endpoint.

Windsurf Finding 1: Overly Permissive IDE Agent Bypasses Auto Execution Controls

Sun, 15 Mar 2026 00:00:00 +0000

Windsurf’s Cascade agent reads and writes files outside the workspace with zero confirmation, even with Auto Execution set to Disabled. The review prompt on writes is cosmetic: files exist on disk before the user can reject.

Windsurf Finding 2: Indirect Prompt Injection and Credential Exfiltration via GitHub Gists

Sun, 15 Mar 2026 00:00:00 +0000

How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with zero user interaction.

Enterprise Risk Assessment: Claude Desktop and Cowork Security

Sat, 14 Mar 2026 00:00:00 +0000

Comprehensive security risk assessment for organizations deploying Claude Desktop and Cowork in regulated environments, covering publicly disclosed vulnerabilities and independent research findings.

Research Paper: Trust Boundary Failures in AI Coding Agents

Sat, 14 Mar 2026 00:00:00 +0000

Empirical analysis of MCP configuration attacks in Claude Code with enterprise defensive architecture recommendations.

Claude Code Finding 1: Silent Command Execution via .mcp.json Trust Model

Thu, 12 Mar 2026 00:00:00 +0000

How a one-time trust decision in Claude Code enables silent arbitrary command execution when .mcp.json is modified after initial approval.

Claude Code Finding 2: MCP Blanket Trust Escalation via enableAllProjectMcpServers

Thu, 12 Mar 2026 00:00:00 +0000

How the 'Use this and all future MCP servers' option grants permanent, unbounded trust to arbitrary MCP server definitions added after the initial consent.

Claude Code Finding 3: MCP Tool Confirmation Prompt Misrepresentation Enables Arbitrary Code Execution

Thu, 12 Mar 2026 00:00:00 +0000

A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve a file read while the server silently executes system commands.

Claude Code Finding 4: Remote Control Session Hijacking via Missing Per-Session Authentication

Thu, 12 Mar 2026 00:00:00 +0000

The Claude Code remote-control session events endpoint lacks per-session authentication, enabling invisible remote command execution from any machine on the internet.

Remote Code Execution in docker-wkhtmltopdf-aas: Command Injection via Unsanitized Options

Sun, 01 Mar 2026 00:00:00 +0000

How I found a critical command injection vulnerability in docker-wkhtmltopdf-aas, a Dockerized HTML-to-PDF web service, and achieved remote code execution as root through unsanitized user options passed to a shell command.

Finding an RCE in iOS-remote: OS Command Injection via Flask

Sat, 28 Feb 2026 00:00:00 +0000

How I found an OS command injection vulnerability in iOS-remote, a Flask-based iOS device management tool, and achieved remote code execution through an unsanitized subprocess call.

My First CVE: DLL Hijacking in CactusViewer v2.3.0

Fri, 27 Feb 2026 00:00:00 +0000

How I discovered a DLL hijacking vulnerability in CactusViewer v2.3.0, built a proof of concept, and submitted it for a CVE ID.

Stego-Drop: Hiding Shellcode in PNG Images with LSB Steganography

Tue, 24 Feb 2026 00:00:00 +0000

A walkthrough of building stego-drop, a Python LSB steganography tool for embedding shellcode and binary payloads into PNG images.

Linux-Enum: Linux Auto-Enumerator

Sun, 22 Feb 2026 00:00:00 +0000

A Python tool to automate Linux enumeration for penetration testing and OSCP preparation.

Win-Enum: Windows & Active Directory Auto-Enumerator

Sun, 22 Feb 2026 00:00:00 +0000

A Python tool to automate Windows and Active Directory enumeration for penetration testing and OSCP preparation.

HackTheBox: Bashed - Web Shell Discovery & Cron Privilege Escalation