Search criteria
2 vulnerabilities by 54yyyu
CVE-2026-7812 (GCVE-0-2026-7812)
Vulnerability from cvelistv5 – Published: 2026-05-05 04:15 – Updated: 2026-05-06 14:06
VLAI?
Title
54yyyu code-mcp MCP Tool server.py git_operation command injection
Summary
A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Severity ?
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/361072 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/361072/cti | signaturepermissions-required |
| https://vuldb.com/submit/807752 | third-party-advisory |
| https://github.com/54yyyu/code-mcp/issues/5 | exploitissue-tracking |
| https://github.com/54yyyu/code-mcp/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T14:06:13.265894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T14:06:31.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"MCP Tool"
],
"product": "code-mcp",
"vendor": "54yyyu",
"versions": [
{
"status": "affected",
"version": "4cfc4643541a110c906d93635b391bf7e357f4a8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CPT_Penner (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T04:15:12.122Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-361072 | 54yyyu code-mcp MCP Tool server.py git_operation command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/361072"
},
{
"name": "VDB-361072 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/361072/cti"
},
{
"name": "Submit #807752 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/807752"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/54yyyu/code-mcp/issues/5"
},
{
"tags": [
"product"
],
"url": "https://github.com/54yyyu/code-mcp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-04T23:31:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "54yyyu code-mcp MCP Tool server.py git_operation command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7812",
"datePublished": "2026-05-05T04:15:12.122Z",
"dateReserved": "2026-05-04T21:25:51.261Z",
"dateUpdated": "2026-05-06T14:06:31.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7811 (GCVE-0-2026-7811)
Vulnerability from cvelistv5 – Published: 2026-05-05 04:00 – Updated: 2026-05-05 13:41
VLAI?
Title
54yyyu code-mcp MCP File server.py is_safe_path path traversal
Summary
A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity ?
CWE
- CWE-22 - Path Traversal
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/361071 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/361071/cti | signaturepermissions-required |
| https://vuldb.com/submit/807751 | third-party-advisory |
| https://github.com/54yyyu/code-mcp/issues/4 | exploitissue-tracking |
| https://github.com/54yyyu/code-mcp/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T13:41:01.054759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T13:41:25.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"MCP File Handler"
],
"product": "code-mcp",
"vendor": "54yyyu",
"versions": [
{
"status": "affected",
"version": "4cfc4643541a110c906d93635b391bf7e357f4a8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CPT_Penner (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T04:00:21.402Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-361071 | 54yyyu code-mcp MCP File server.py is_safe_path path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/361071"
},
{
"name": "VDB-361071 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/361071/cti"
},
{
"name": "Submit #807751 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/807751"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/54yyyu/code-mcp/issues/4"
},
{
"tags": [
"product"
],
"url": "https://github.com/54yyyu/code-mcp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-04T23:29:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "54yyyu code-mcp MCP File server.py is_safe_path path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7811",
"datePublished": "2026-05-05T04:00:21.402Z",
"dateReserved": "2026-05-04T21:24:12.293Z",
"dateUpdated": "2026-05-05T13:41:25.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}