This morning is two unauthenticated remote-code-execution disclosures, both in AI tooling that tends to sit one call away from a shell. CVE-2026-0755 is a command-injection flaw in gemini-mcp-tool, the npm MCP bridge to Google's Gemini, scored 9.8. Crawl4AI — the LLM-oriented web crawler — shipped a coordinated batch of fixes on June 18 that tops out at a clean CVSS 10.0. If you run either, upgrade before you read the rest of this. Nothing on the .NET or Angular side cleared the bar in the last 24 hours.

Worth your morning

gemini-mcp-tool (CVE-2026-0755). A command-injection flaw lets an unauthenticated request reach a shell call, so the impact is arbitrary command execution on the host running the MCP server — no auth, no user interaction, which is where the 9.8 comes from. Affected releases run 1.1.2 through 1.1.5; the fix is 1.1.6. If you've wired this tool into an agent, upgrade and treat any secrets that process could see as exposed.

Crawl4AI (June 18 batch). Nine advisories landed together, spanning unauthenticated RCE, SSRF, and path traversal in the Docker crawl service; the most severe is an argument-injection bug rated a full 10.0. They roll up into 0.9.0. If you run the Crawl4AI Docker endpoint anywhere reachable, patch to 0.9.0 — and the recurring theme across the batch is an unauthenticated Docker API, so don't expose it in the first place.

AgenticMail (GHSA-fq4x-789w-jg5h). An inbound email — from anyone — could resume a Claude Code session running in bypass-permissions mode, which is to say an unauthenticated stranger's message ran as the operator. Fixed across the scoped packages (core 0.9.43, claudecode 0.2.39, codex 0.1.33, openclaw 0.5.71). High, 8.2.