From 6fad1f446e4f3ddf027987ade70b0e59dc6de626 Mon Sep 17 00:00:00 2001
From: cyy <cyyever@outlook.com>
Date: Mon, 30 Mar 2026 15:16:52 +0800
Subject: [PATCH] docs: upgrade CVE-2026-26118 and CVE-2025-59828 to partial
 defense
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- CVE-2026-26118 (Azure MCP SSRF): block-ssrf-private-network now blocks
  internal IP targets in tool args; external attacker endpoint still not
  interceptable
- CVE-2025-59828 (Yarn plugin autoload): configscan now detects malicious
  .yarnrc.yml yarnPath overrides; in-process loading still not interceptable
- Both moved from Not Defensible → Partial in tracker and reference
- Summary: 71 full, 3 partial, 10 not defensible (84 total)
---
 docs/cve-reference.md | 10 +++++-----
 docs/cve-tracker.md   |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/cve-reference.md b/docs/cve-reference.md
index 9a66cf6..977a233 100644
--- a/docs/cve-reference.md
+++ b/docs/cve-reference.md
@@ -2,7 +2,7 @@
 
 Complete inventory of all vulnerabilities tracked by Crust, derived from [cve-tracker.md](cve-tracker.md).
 
-**Last verified:** 2026-03-30 | **Total: 84** (71 Full, 1 Partial, 12 Not defensible)
+**Last verified:** 2026-03-30 | **Total: 84** (71 Full, 3 Partial, 10 Not defensible)
 
 ## Full Defense (71)
 
@@ -80,22 +80,22 @@ Complete inventory of all vulnerabilities tracked by Crust, derived from [cve-tr
 | [CVE-2026-21852](https://nvd.nist.gov/vuln/detail/CVE-2026-21852) | (low-severity) | <8.0 | — | Env var redirect via `.env` ANTHROPIC_BASE_URL overrides | Config redirect scanner |
 | [CVE-2026-4270](https://nvd.nist.gov/vuln/detail/CVE-2026-4270) | (low-severity) | <8.0 | — | AWS MCP server-side path traversal | Path traversal suffix stripping + DLP |
 
-## Partial Defense (1)
+## Partial Defense (3)
 
 | CVE ID | Product | CVSS | CWE | Attack Vector | Defense Layer |
 |--------|---------|------|-----|---------------|---------------|
 | [CVE-2026-33980](https://nvd.nist.gov/vuln/detail/CVE-2026-33980) | MCP Ecosystem | 8.3 | CWE-943 | Azure Data Explorer MCP Server — KQL injection via tool calls | Crust sees tool call args but lacks KQL parser for injection detection |
+| [CVE-2026-26118](https://nvd.nist.gov/vuln/detail/CVE-2026-26118) | Azure MCP Server | 8.8 | CWE-918 | Server-side SSRF leaks managed identity token | `block-ssrf-private-network` blocks internal IP targets; external attacker endpoint not interceptable |
+| [CVE-2025-59828](https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4) | Claude Code | 8.0 | N/A | Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions | Configscan detects malicious `.yarnrc.yml` yarnPath; in-process loading still not interceptable |
 
-## Not Defensible (12)
+## Not Defensible (10)
 
 | CVE ID | Product | CVSS | Why Not Defensible |
 |--------|---------|------|--------------------|
 | [CVE-2025-64106](https://nvd.nist.gov/vuln/detail/CVE-2025-64106) | Cursor | 8.8 | IDE-internal deep-link MCP install flow — outside interception scope |
 | [CVE-2025-61591](https://nvd.nist.gov/vuln/detail/CVE-2025-61591) | Cursor | 8.8 | MCP OAuth impersonation — auth-layer attack, outside Crust's scope |
 | [GHSA-4575-fh42-7848](https://github.com/cursor/cursor/security/advisories/GHSA-4575-fh42-7848) | Cursor | 8.8 | IDE-internal deep-link modal bypass — outside interception scope |
-| [CVE-2026-26118](https://nvd.nist.gov/vuln/detail/CVE-2026-26118) | Azure MCP Server | 8.8 | Server-side SSRF leaks managed identity token — executes inside MCP server process |
 | [CVE-2026-21523](https://nvd.nist.gov/vuln/detail/CVE-2026-21523) | Copilot/VS Code | 8.0 | TOCTOU race condition in IDE file handling — no tool calls involved |
-| [CVE-2025-59828](https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4) | Claude Code | 8.0 | In-process plugin autoloading via Yarn — outside Crust's interception scope |
 | [CVE-2026-0621](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-cqwc-fm46-7fff) | MCP TS SDK | 8.0 | ReDoS — denial of service, outside scope |
 | [CVE-2025-53366](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v) | MCP Python SDK | 8.0 | FastMCP validation error DoS — outside scope |
 | [CVE-2025-53365](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh) | MCP Python SDK | 8.0 | Streamable HTTP transport DoS — outside scope |
diff --git a/docs/cve-tracker.md b/docs/cve-tracker.md
index e82ddf7..b609271 100644
--- a/docs/cve-tracker.md
+++ b/docs/cve-tracker.md
@@ -9,8 +9,8 @@ Crust tracks vulnerabilities in AI coding agents and related tools to validate a
 | Status | Count | % |
 |--------|------:|----:|
 | Full defense | 71 | 84.5% |
-| Partial defense | 1 | 1.2% |
-| Not defensible | 12 | 14.3% |
+| Partial defense | 3 | 3.6% |
+| Not defensible | 10 | 11.9% |
 | **Total** | **84** | |
 
 Only high-risk resolved CVEs (CVSS >= 8.0) are listed individually below. Lower-severity resolved CVEs are counted in the summary but omitted for brevity. Fully resolved entries are periodically moved to the [archive](cve-tracker-archive.md).
@@ -63,6 +63,7 @@ Only high-risk resolved CVEs (CVSS >= 8.0) are listed individually below. Lower-
 | [GHSA-x56v-x2h6-7j34](https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34) | **8.0** | CWE-78 | Command Injection in echo command bypasses user approval prompt | **Full** | Shell AST parser (same class as CVE-2025-54795) |
 | [CVE-2025-54794](https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2) | **8.0** | CWE-22 | Path Restriction Bypass — unauthorized file access when path prefixes collide | **Full** | Path normalization resolves prefix collisions |
 | [GHSA-9f65-56v6-gxw7](https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7) | **8.0** | N/A | IDE extensions allow websocket connections from arbitrary origins | **Full** | MCP HTTP Gateway origin validation |
+| [CVE-2025-59828](https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4) | **8.0** | N/A | Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions | **Partial** | Configscan detects malicious `.yarnrc.yml` yarnPath; in-process loading still not interceptable |
 
 ### MCP Ecosystem
 
@@ -71,6 +72,7 @@ Only high-risk resolved CVEs (CVSS >= 8.0) are listed individually below. Lower-
 | [CVE-2026-33989](https://nvd.nist.gov/vuln/detail/CVE-2026-33989) | **8.1** | CWE-22, CWE-73 | Mobile Next MCP server path traversal | **Full** | MCP gateway intercepts tool calls; path normalization |
 | [CVE-2026-33946](https://nvd.nist.gov/vuln/detail/CVE-2026-33946) | **8.2** | CWE-384, CWE-639 | MCP Ruby SDK session fixation / authorization bypass | **Full** | MCP gateway evaluates all tool calls regardless of session state |
 | [CVE-2026-33980](https://nvd.nist.gov/vuln/detail/CVE-2026-33980) | **8.3** | CWE-943 | Azure Data Explorer MCP Server — KQL injection via tool calls | **Partial** | Crust sees tool call args but lacks KQL parser |
+| [CVE-2026-26118](https://nvd.nist.gov/vuln/detail/CVE-2026-26118) | **8.8** | CWE-918 | Azure MCP Server SSRF leaks managed identity token | **Partial** | `block-ssrf-private-network` blocks internal IP targets; external attacker endpoint not interceptable |
 | [GHSA-hc55-p739-j48w](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-hc55-p739-j48w) | **8.0** | N/A | Path validation bypass via colliding path prefix | **Full** | Path normalization resolves prefix collisions |
 | [GHSA-q66q-fx2p-7w4m](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-q66q-fx2p-7w4m) | **8.0** | N/A | Path validation bypass via symlink handling | **Full** | Symlink resolution (Step 6) |
 | [CVE-2025-66414](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w) | **8.0** | CWE-1188 | DNS Rebinding Protection Disabled by Default (TS SDK) | **Full** | MCP HTTP Gateway origin validation |
@@ -95,9 +97,7 @@ Issues where Crust currently cannot provide full defense:
 | [CVE-2025-64106](https://nvd.nist.gov/vuln/detail/CVE-2025-64106) | **8.8** | Cursor | IDE-internal deep-link MCP install flow — outside Crust's interception scope |
 | [GHSA-4575-fh42-7848](https://github.com/cursor/cursor/security/advisories/GHSA-4575-fh42-7848) | **8.8** | Cursor | IDE-internal deep-link modal bypass — outside interception scope |
 | [CVE-2025-61591](https://nvd.nist.gov/vuln/detail/CVE-2025-61591) | **8.8** | Cursor | MCP OAuth impersonation — auth-layer attack, outside Crust's scope |
-| [CVE-2026-26118](https://nvd.nist.gov/vuln/detail/CVE-2026-26118) | **8.8** | Azure MCP Server | Server-side SSRF leaks managed identity token — SSRF executes inside MCP server process |
 | [CVE-2026-21523](https://nvd.nist.gov/vuln/detail/CVE-2026-21523) | **8.0** | Copilot/VS Code | TOCTOU race condition in IDE file handling — no tool calls involved, not interceptable |
-| [CVE-2025-59828](https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4) | **8.0** | Claude Code | In-process plugin autoloading via Yarn — outside Crust's interception scope |
 | [CVE-2026-0621](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-cqwc-fm46-7fff) | **8.0** | MCP TS SDK | ReDoS — denial of service, outside scope |
 | [CVE-2025-53366](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v) | **8.0** | MCP Python SDK | FastMCP validation error DoS — outside scope |
 | [CVE-2025-53365](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh) | **8.0** | MCP Python SDK | Streamable HTTP transport DoS — outside scope |