CVE-2025-49596. CVE-2025-68143. CVE-2026-30615.

These are real CVE numbers assigned to MCP vulnerabilities in the past year. Each one describes a real attack. None of them tells you what the attack class is, what the AIVSS risk score is, how to detect it in a skill file, or what the remediation looks like. That information lives in a PDF, a blog post, or a researcher's GitHub repo - if it lives anywhere at all.

CVE was built for traditional software vulnerabilities. Buffer overflows. SQL injection. Memory corruption. The identifier scheme works for that world because the vulnerability is in the code and the fix is a patch.

AI agent vulnerabilities are different in a specific way. The payload is natural language. The "code" is a prompt. There is no binary to patch. And the same attack class, say prompt injection or credential exfiltration, can appear in any skill file, in any language, with any phrasing. The attack surface is not a function call. It is every sentence an agent is instructed to read.

What was missing When we started scanning agentic components in late 2025, we had three problems:

No stable identifiers. Every researcher was naming attack classes differently. "Tool poisoning" and "tool description injection" describe the same thing. "Goal hijacking" and "goal override" are the same attack. Without stable IDs, you cannot write detection rules that map to a shared taxonomy.

No scoring standard. CVSS scores agent vulnerabilities the same way it scores a buffer overflow: based on the code path, the privilege level, the access vector. None of that captures what makes agent vulnerabilities dangerous. An agent with persistent memory and external tool access amplifies the risk of a prompt injection by an order of magnitude compared to the same injection in a stateless chatbot.

No detection-oriented records. CVE records describe vulnerabilities after they are exploited. They do not include behavioral fingerprints, detection patterns, or indicators of compromise designed for static analysis. A scanner needs to know what to look for in a file, not what happened when an exploit ran.

What AVE is AVE - Agentic Vulnerability Enumeration which is an open vulnerability database for agentic AI components. Every record covers a distinct attack class affecting MCP servers, skill files, system prompts, and agent plugins.

Each record has:

A stable identifier: AVE-2026-NNNNN

An OWASP AIVSS v0.8 score (see below)

Behavioral fingerprint: a description of what the attack looks like in text

Behavioral vectors: concrete examples of the attack pattern

Detection methodology: how to find it statically

Indicators of compromise

Remediation guidance

OWASP MCP Top 10 and ASI mappings

NIST AI RMF and MITRE ATLAS mappings

The records are JSON files in a public GitHub repo. No API key. No account. Apache 2.0.

AIVSS: scoring what CVSS misses The scoring formula:

AIVSS = ((CVSS_Base + AARS) / 2) * ThM * Mitigation_Factor AARS is the Agentic Risk Score: the sum of 10 Agentic…

为什么值得关注

能改变理解方式,而不只是重复常识;符合当前抓取需求;它提供了新的理解或解释,而不只是表面观点

来源:reddit,领域:tech,保留分:0.67