EUVD-2026-12267CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
A vulnerability was determined in hypermodel-labs mcp-server-auto-commit 1.0.0. Affected by this vulnerability is the function getGitChanges of the file index.ts. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: f7d992c830c5f2ec5749852e66c0195e3ed7fe30. Applying a patch is the recommended action to fix this issue. The project was informed of the problem early through an issue report but has not responded yet.
Analysis
Local command injection in hypermodel-labs mcp-server-auto-commit 1.0.0 via the getGitChanges function in index.ts allows authenticated local attackers to execute arbitrary commands with the privileges of the affected process. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today