Marionette Collective Security Vulnerabilities - CVSS Score 9 - 10

CVE-2014-0175

mcollective has a default password set at install

CVE-2016-2788

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.