Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Remote command injection in GitPilot-MCP allows unauthenticated attackers to execute arbitrary system commands via the repo_path function in main.py. The vulnerability affects all versions up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd, with publicly available exploit code demonstrating practical exploitation. CVSS 7.3 (High) with network vector and no authentication required indicates significant exposure, though CVSS impact ratings (L/L/L) suggest attackers may have limited privileges in command execution context.
Technical ContextAI
This is a CWE-77 command injection vulnerability in the repo_path function within main.py of GitPilot-MCP, a tool that appears to integrate Git operations with Model Context Protocol (MCP) capabilities. Command injection occurs when user-supplied input in the 'command' argument is passed to system shell execution functions without proper sanitization or validation. The vulnerability allows attackers to break out of intended command syntax by injecting shell metacharacters (such as semicolons, pipes, or backticks) to execute arbitrary commands. The affected component processes repository paths, suggesting the injection point may occur during Git operations or file system interactions where command-line utilities are invoked with user-controllable path parameters.
RemediationAI
No vendor-released patch identified at time of analysis, as the maintainer did not respond to vulnerability disclosure. Organizations using GitPilot-MCP should immediately implement the following compensating controls: (1) Restrict network access to GitPilot-MCP instances using firewall rules or network segmentation, allowing access only from trusted internal networks or specific IP ranges (trade-off: breaks remote workflow automation). (2) Deploy GitPilot-MCP within containerized or sandboxed environments with minimal system privileges and restricted file system access to limit command injection impact (trade-off: may break legitimate file operations). (3) Implement application-layer input validation proxy or web application firewall rules to block common command injection patterns in repo_path parameters, filtering shell metacharacters like semicolons, pipes, backticks, and dollar signs (trade-off: may break legitimate repository paths with special characters). (4) Monitor system logs for unexpected child process execution or shell invocations from GitPilot-MCP processes. Given vendor non-responsiveness, evaluate migrating to actively maintained alternatives for Git automation. Full vulnerability details and exploit demonstration available at https://github.com/wing3e/public_exp/issues/38 and https://vuldb.com/vuln/359523/cti.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25656