CVE-2025-49596. CVE-2025-68143. CVE-2026-30615.
These are real CVE numbers assigned to MCP vulnerabilities in the past year. Each one describes a real attack. None of them tells you what the attack class is, what the AIVSS risk score is, how to detect it in a skill file, or what the remediation looks like. That information lives in a PDF, a blog post, or a researcher's GitHub repo - if it lives anywhere at all.
CVE was built for traditional software vulnerabilities. Buffer overflows. SQL injection. Memory corruption. The identifier scheme works for that world because the vulnerability is in the code and the fix is a patch.
AI agent vulnerabilities are different in a specific way. The payload is natural language. The "code" is a prompt. There is no binary to patch. And the same attack class, say prompt injection or credential exfiltration, can appear in any skill file, in any language, with any phrasing. The attack surface is not a function call. It is every sentence an agent is instructed to read.
What was missing
When we started scanning agentic components in late 2025, we had three problems:
No stable identifiers. Every researcher was naming attack classes differently. "Tool poisoning" and "tool description injection" describe the same thing. "Goal hijacking" and "goal override" are the same attack. Without stable IDs, you cannot write detection rules that map to a shared taxonomy.
No scoring standard. CVSS scores agent vulnerabilities the same way it scores a buffer overflow: based on the code path, the privilege level, the access vector. None of that captures what makes agent vulnerabilities dangerous. An agent with persistent memory and external tool access amplifies the risk of a prompt injection by an order of magnitude compared to the same injection in a stateless chatbot.
No detection-oriented records. CVE records describe vulnerabilities after they are exploited. They do not include behavioral fingerprints, detection patterns, or indicators of compromise designed for static analysis. A scanner needs to know what to look for in a file, not what happened when an exploit ran.
What AVE is
AVE - Agentic Vulnerability Enumeration which is an open vulnerability database for agentic AI components. Every record covers a distinct attack class affecting MCP servers, skill files, system prompts, and agent plugins.
Each record has:
- A stable identifier:
AVE-2026-NNNNN - An OWASP AIVSS v0.8 score (see below)
- Behavioral fingerprint: a description of what the attack looks like in text
- Behavioral vectors: concrete examples of the attack pattern
- Detection methodology: how to find it statically
- Indicators of compromise
- Remediation guidance
- OWASP MCP Top 10 and ASI mappings
- NIST AI RMF and MITRE ATLAS mappings
The records are JSON files in a public GitHub repo. No API key. No account. Apache 2.0.
AIVSS: scoring what CVSS misses
The scoring formula:
AIVSS = ((CVSS_Base + AARS) / 2) * ThM * Mitigation_Factor
AARS is the Agentic Risk Score: the sum of 10 Agentic Risk Amplification
Factors (AARFs), each scored 0.0 / 0.5 / 1.0:
| Factor | What it captures |
|---|---|
| Autonomy | Agent acts without human approval |
| Tool use | Agent has access to external tools and APIs |
| Multi-agent | Agent interacts with or spawns other agents |
| Non-determinism | Behavior varies across runs |
| Self-modification | Can alter own instructions or memory |
| Dynamic identity | Assumes roles at runtime |
| Persistent memory | Retains state across sessions |
| Natural language input | Instruction surface is natural language |
| Data access | Reads sensitive data (files, env, DB) |
| External dependencies | Loads external code, skills, plugins |
A prompt injection in a stateless chatbot with no tool access might score 4.0. The same injection in an agent with persistent memory, tool access, and multi-agent spawning capability can score 8.5. CVSS cannot express this difference. AIVSS can.
48 records later
The current AVE database has 48 records covering attack classes across the full agentic AI stack. The most recently added:
-
AVE-2026-00046: MCP tool hook hijacking (CRITICAL 9.1) -
AVE-2026-00047: Hardcoded credentials in agent components (HIGH 7.8) -
AVE-2026-00048: Unsafe agent delegation chains (HIGH 8.2)
Every record maps to detection rules in Bawbel Scanner. When the scanner reports AVE-2026-00001, the finding links to a full record at
api.piranha.bawbel.io/records/AVE-2026-00001 with IOCs, remediation, and the behavioral fingerprint.
The goal
The goal is not to replace CVE. CVE covers implementation vulnerabilities in agent infrastructure code. AVE covers behavioral attack patterns in agentic components.
Both are necessary. A vulnerability in the MCP client implementation is a CVE. A skill file that instructs an agent to exfiltrate credentials is an AVE.
As AI agent registries scale, the tooling needs to exist before the attacks become routine. That is why we built AVE, and why it is open.
Links
- AVE Standard: github.com/bawbel/ave
- OWASP AIVSS: aivss.owasp.org
- PiranhaDB: api.piranha.bawbel.io
- Bawbel Scanner: github.com/bawbel/scanner
Top comments (0)