Skip to content
CVSS 7.3 · HIGH

CVE-2026-7319

A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used.

View on NVD

Analysis

This vulnerability affects execution-system-mcp, a specific Model Context Protocol (MCP) server for LLMs with very low distribution. While it is a remote path traversal bug with a public exploit, the tool is a niche utility and not a standard part of the MexicoDev stack or general server infrastructure.

Severity

Score: 7.3(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: LOW
Weakness (CWE): CWE-22

EPSS

Probability of exploitation (next 30 days): 0.0010 (0.1%)
Percentile: 27.5%
EPSS: 2026-05-06

Technical description

A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used.

Published: 4/28/2026, 10:16:52 PM
Last modified: 4/29/2026, 9:16:21 PM

References

HomeEventsBlogResourcesTeam