{"id":107354,"date":"2026-02-26T15:00:00","date_gmt":"2026-02-26T13:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=107354"},"modified":"2026-02-27T20:37:16","modified_gmt":"2026-02-27T18:37:16","slug":"last-week-in-appsec-for-26-february-2026","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/","title":{"rendered":"Last Week in AppSec for 26. February 2026"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"ai-trust-continues-to-be-a-challenge.\">AI trust continues to be a challenge.<\/h2>\n\n\n\n<p>The acceleration promised by AI code assistants leads developers and others to relax their trust boundaries, and tool makers find themselves constantly weighing what they should protect users against and what risks users are accepting for themselves.<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Get Last Week In AppSec in your Inbox with Checkmarx Zero<\/div>\n                <button class=\"section-article-button\">Subscribe Now                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"trusting-the-wrong-repo-leads-to-remote-code-execution-in-claude-code-cve-2025-59536-and-cve-2026-21852\">Trusting the wrong repo leads to Remote Code Execution in Claude Code (CVE-2025-59536 and CVE-2026-21852)<\/h2>\n\n\n\n<div id=\"CVE-2025-59536\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-59536\/\" class=\"vulnid\">CVE-2025-59536<\/a>\n    <span class=\"cvss high\">CVSS v4.0 =8.7<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/4-0#CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:P\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N\/E:X\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:X\/V:X\/RE:X\/U:X\">CVSS:4.0\/&#8230;<\/a><\/span>\n    <span class=\"vulndesc\">Claude Code\u2019s startup trust dialog could lead to Command Execution\n      attack<\/span>\n  <\/p>\n<\/div>\n<div id=\"CVE-2026-21852\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2026-21852\/\" class=\"vulnid\">CVE-2026-21852<\/a>\n    <span class=\"cvss\">CVSS v4.0 =5.3<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/4-0#CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:P\/VC:L\/VI:L\/VA:L\/SC:N\/SI:N\/SA:N\/E:X\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:X\/V:X\/RE:X\/U:X\">CVSS:4.0\/&#8230;<\/a><\/span><span class=\"vulndesc\">Claude Code\u2019s MCP configuration may lead to remote code execution<\/span>\n  <\/p>\n<\/div>\n\n\n\n<p>A pair of CVEs against Claude Code this week relate to the trust developers place in configuration files stored in code repositories.<\/p>\n\n\n\n<p>We\u2019d hope that repositories for an organization\u2019s private projects wouldn\u2019t pose high risk for this sort of tampering. However, developers who work on public or open-source projects should be extra cautious. And organizations shouldn\u2019t assume private projects are fully safe: insider threats and even attackers who manage to have a foothold that gives them repo access are genuine risks to consider and appropriately manage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"untrusted-hooks\">Untrusted Hooks<\/h3>\n\n\n\n<p><a href=\"https:\/\/code.claude.com\/docs\/en\/hooks-guide\">Claude Code\u2019s \u201chooks\u201d feature<\/a>&nbsp;permits the user\u2019s&nbsp;<code>settings.json<\/code>&nbsp;configuration file to specify commands that should be run at various points in a Claude Code session; for example, you can specify a&nbsp;<code>SessionStart<\/code>&nbsp;hook to run commands the moment you start Claude Code.<\/p>\n\n\n\n<p>If a&nbsp;<code>.claude\/settings.json<\/code>&nbsp;file is in a repository, Claude will load it. A malicious user with access to a repository can put whatever commands they want in that settings file, and Claude Code would execute them for you.<\/p>\n\n\n\n<p>While Claude does give some degree of warning that it may execute some files, and asks if you trust the repo, it doesn\u2019t give very clear indications about what it will run. And we know from previous work that&nbsp;<a href=\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\">those dialogs can lie anyhow<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"258\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/tryai-claude-code-trust-dialog-1024x258.webp\" alt=\"\" class=\"wp-image-107355\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/tryai-claude-code-trust-dialog-1024x258.webp 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/tryai-claude-code-trust-dialog-300x76.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/tryai-claude-code-trust-dialog-768x194.webp 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/tryai-claude-code-trust-dialog-400x101.webp 400w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/tryai-claude-code-trust-dialog.webp 1075w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Claude Code trust dialog, courtesy of Try AI<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"untrusted-mcp-configurations\">Untrusted MCP configurations<\/h3>\n\n\n\n<p>Claude Code also&nbsp;<a href=\"https:\/\/code.claude.com\/docs\/en\/mcp\">supports interactions with Model-Context Protocol (<abbr title=\"Model Context Protocol\">MCP<\/abbr>) servers<\/a>, allowing Code to query data sources for additional context while it works. As with the hooks feature above, the configurations for&nbsp;MCP&nbsp;tools allow specifying initialization commands.<\/p>\n\n\n\n<p>Which means if the repository has an&nbsp;<code>.mcp.json<\/code>&nbsp;file, Claude Code will try to run the&nbsp;MCP&nbsp;tool it defines: and it can use a command provided by an attacker, leading to remote command execution.<\/p>\n\n\n\n<p>The warning dialog for this is much better, but researchers were able to use the same tactic above to include a&nbsp;<code>.claude\/settings.json<\/code>&nbsp;with instructions to allow-list the malicious&nbsp;MCP&nbsp;configuration. When this was done, the code was run&nbsp;<em>before any trust dialog was displayed<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"defense\">Defense<\/h3>\n\n\n\n<p>These specific items can be addressed by updating Claude Code to the most recent version. However, organizations should expect related issues in AI agents to continue to be discovered, and developers should make behavioral changes to help reduce the risk:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Take warnings seriously<\/strong>. It\u2019s easy to just click \u201cYes\u201d, but it\u2019s important to actually stop and think about the safety warnings AI tools give you<\/li>\n\n\n\n<li>\n<strong>Pay attention when tool configurations change<\/strong>. Using hooks for various git operations that occur after git retrieves remote code (like\u00a0<code>post-merge<\/code>\u00a0and\u00a0<code>post-checkout<\/code>) which warn when common tool configuration files and directories (like\u00a0<code>.claude<\/code>\u00a0and\u00a0<code>.vscode<\/code>\u00a0are changed) can help developers know that they should inspect those changes before running the related tool<\/li>\n\n\n\n<li>\n<strong>Review configuration file changes in PRs<\/strong>. Make sure that when reviewing pull requests (PRs) \/ merge requests (MRs), reviewers treat configuration file changes with the same rigor as code changes. This can help catch dangerous accidents as well as attempted attacks.<\/li>\n<\/ul>\n\n\n\n<p>These issues were&nbsp;<a href=\"https:\/\/research.checkpoint.com\/2026\/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536\/\">reported by Check Point Research<\/a>; see their discussion for details of the attack and additional response guidance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"github-copilot-injection-from-issues-when-running-codespaces\">GitHub Copilot injection from Issues when running Codespaces<\/h2>\n\n\n\n<p>Researchers with Orca Security managed to hide prompt injection attacks in GitHub Issues. When a developer starts a Codespace from that issue, the GitHub Copilot AI assistant loads the issue as context automatically. They were able to use the injection in the issue to prompt Copilot to take dangerous steps including exfiltrating sensitive data like&nbsp;<code>GITHUB_TOKEN<\/code>&nbsp;values (which allow authentication to GitHub accounts).<\/p>\n\n\n\n<p>The technique used is very similar to how&nbsp;<a href=\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#article-anchor-1\">we used GitHub Issues to inject Claude Code\u2019s security reviewer<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Craft a prompt that causes the AI to perform a dangerous or malicious action<\/li>\n\n\n\n<li>Hide that prompt inside a GitHub Issue (either through obfuscation or providing it as an HTML comment)<\/li>\n\n\n\n<li>Trigger the AI to consume the GitHub Issue, including the prompt material, as context. It then evaluates that context as part of the session, treating it as a prompt<\/li>\n\n\n\n<li>The prompt executes and performs the attacker\u2019s actions<\/li>\n<\/ul>\n\n\n\n<p>This class of attack essentially conscripts your AI agent in an attack against you, turning your trusted assistant into a threat.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.securityweek.com\/github-issues-abused-in-copilot-attack-leading-to-repository-takeover\/\">Security Week covers the story in more detail.<\/a><\/p>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.<\/p>\n","protected":false},"author":137,"featured_media":107356,"template":"","zero-category":[1176,1333],"zero-tag":[1097,1082,1396,1128,1497,1342],"class_list":["post-107354","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-security-blogs","zero-category-security-news","zero-tag-ai","zero-tag-ai-security","zero-tag-claude-code","zero-tag-cve","zero-tag-github-copilot","zero-tag-last-week-in-appsec"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Last Week in AppSec for 26. February 2026 - Checkmarx<\/title>\n<meta name=\"description\" content=\"Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Last Week in AppSec for 26. February 2026 - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:37:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/\",\"name\":\"Last Week in AppSec for 26. February 2026 - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp\",\"datePublished\":\"2026-02-26T13:00:00+00:00\",\"dateModified\":\"2026-02-27T18:37:16+00:00\",\"description\":\"Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp\",\"width\":2560,\"height\":1280,\"caption\":\"Street-art style, widescreen illustration in neon green and black: a computer shows a \u201cDo you trust this repository?\u201d warning, while a large folder labeled \u201cREPO\u201d and a masked figure at a laptop are connected by cables labeled \u201cMCP\u201d and a small \u201chooks.sh\u201d file. An \u201cISSUE\u201d page looms in the background with red arrows indicating hidden influence, suggesting AI tooling being steered by untrusted repo and issue content.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Last Week in AppSec for 26. February 2026 - Checkmarx","description":"Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/","og_locale":"en_US","og_type":"article","og_title":"Last Week in AppSec for 26. February 2026 - Checkmarx","og_description":"Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.","og_url":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:37:16+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/","url":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/","name":"Last Week in AppSec for 26. February 2026 - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp","datePublished":"2026-02-26T13:00:00+00:00","dateModified":"2026-02-27T18:37:16+00:00","description":"Last Week In AppSec saw public disclosures relating to AI code assistants trusting context that can be attacker-controlled.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-26-february-2026\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/02\/cxzero-feature_2026-02-26_last-week-in-appsec.webp","width":2560,"height":1280,"caption":"Street-art style, widescreen illustration in neon green and black: a computer shows a \u201cDo you trust this repository?\u201d warning, while a large folder labeled \u201cREPO\u201d and a masked figure at a laptop are connected by cables labeled \u201cMCP\u201d and a small \u201chooks.sh\u201d file. An \u201cISSUE\u201d page looms in the background with red arrows indicating hidden influence, suggesting AI tooling being steered by untrusted repo and issue content."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/107354","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/107356"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=107354"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=107354"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=107354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}