Skip to content
CVSS 7.3 · HIGH

CVE-2026-7446

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.

Ver en NVD

Análisis

This is a remote OS command injection vulnerability in a specific Model Context Protocol (MCP) server implementation for Semgrep. While the bug is severe (RCE) and an exploit is public, this specific package from VetCoders is a niche utility within the emerging MCP ecosystem and does not yet have the widespread deployment seen in major developer tools.

Severidad

Puntaje: 7.3(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: LOW
Tipo de falla (CWE): CWE-77CWE-78

EPSS

Probabilidad de explotación (próx. 30 días): 0.0179 (1.8%)
Percentil: 82.8%
EPSS: 2026-05-06

Descripción técnica

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.

Publicada: 30/4/2026, 0:16:23
Última modificación: 30/4/2026, 14:52:54

Referencias

InicioEventosBlogRecursosEquipo