Skip to main content

mcp-text-editor CVE-2026-15138

| EUVDEUVD-2026-42494 LOW
Path Traversal (CWE-22)
2026-07-09 cna@vuldb.com GHSA-mh32-g5q6-4x93
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-reachable with no authentication (PR:N), but user interaction required (UI:R); limited low-level CIA impact with no scope change, consistent with partial path traversal reach.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 01:29 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in tumf mcp-text-editor up to 1.0.2. This issue affects the function _validate_file_path of the file mcp_text_editor/text_editor.py. Such manipulation of the argument file_path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor closed the GitHub issue for this vulnerability without any explanation.

AnalysisAI

Path traversal in tumf mcp-text-editor up to version 1.0.2 allows remote attackers to read, write, or delete files outside the intended directory by supplying manipulated file path arguments to the _validate_file_path function in mcp_text_editor/text_editor.py. A public exploit has been disclosed (confirmed by VulDB and reflected in the CVSS 4.0 E:P modifier), and the vendor has closed the tracking GitHub issue without explanation, leaving the vulnerability unpatched. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted MCP tool request
Delivery
Supply path-traversal file_path argument
Exploit
Bypass _validate_file_path sanitization
Execution
Access files outside intended directory
Impact
Read or overwrite sensitive host files

Vulnerability AssessmentAI

Exploitation The mcp-text-editor service must be running and network-accessible to the attacker (AV:N confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 is very low, consistent with the partial (Low) confidentiality, integrity, and availability impact ratings (VC:L/VI:L/VA:L) and the UI:P requirement indicating that some user interaction must occur before exploitation can succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker or a malicious AI agent prompt crafts a tool invocation to the mcp-text-editor service with a `file_path` value such as `../../../../etc/passwd` or `../../../../home/user/.ssh/id_rsa`. The `_validate_file_path` function fails to reject the traversal sequence, allowing the MCP server to read or overwrite the targeted file on behalf of the caller. …
Remediation No vendor-released patch is identified at time of analysis - the vendor closed GitHub issue #22 (https://github.com/tumf/mcp-text-editor/issues/22) without comment or fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy