Skip to main content

MCP Calculate Server CVE-2026-44717

| EUVD-2026-30574 CRITICAL
Code Injection (CWE-94)
2026-05-15 GitHub_M
RCE Code Injection
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 15, 2026 - 18:02 EUVD
Analysis Generated
May 15, 2026 - 17:30 vuln.today

DescriptionNVD

MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical expressions without proper input sanitization leads to remote code execution. This vulnerability is fixed in 0.1.1.

AnalysisAI

Remote code execution in MCP Calculate Server versions before 0.1.1 allows unauthenticated attackers to execute arbitrary Python code via unsanitized mathematical expressions passed to eval(). The vulnerability stems from processing user-supplied math expressions without input validation, enabling injection of malicious Python code. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all instances of MCP Calculate Server in your environment and immediately isolate any running versions before 0.1.1 from production networks. Within 7 days: Upgrade all instances to version 0.1.1 or later once vendor patch becomes available; if unavailable, maintain network segmentation and disable external access. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-44717 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy