CVE-ID: CVE-2025-15061 CVSS Score: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Vendors: Framelink Affected Products: Figma MCP Server Vulnerability Details: - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. - The issue is due to improper validation of a user-supplied string in the method, leading to code execution. Additional Details: - Framelink has issued an update to fix this issue. More details can be found at: https://github.com/GLips/Figma-Context-MCP/security/advisories/GHSA-gxw4-4fc5-9gr5 Disclosure Timeline: - 2025-10-07: Vulnerability reported to vendor - 2025-12-29: Coordinated public release of advisory - 2025-12-29: Advisory updated Credit: - Peter Girnus (@gothburz) and Brandon Niemczyk of Trend Zero Day Initiative