Is there a public PoC exploit available for CVE-2026-7446?

Yes, a public proof-of-concept exploit is available for CVE-2026-7446. Prioritise patching immediately. EPSS: 0.8%.

Is there a patch available for CVE-2026-7446?

Yes, a patch is available for CVE-2026-7446. Update the affected software to the latest version immediately.

mcp-server-semgrep CVE-2026-7446

Q: What is the CVSS score of CVE-2026-7446?

CVE-2026-7446 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.8%.

EUVD-2026-26302 MEDIUM

OS Command Injection (CWE-78)

2026-04-30 VulDB

Command Injection

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 30, 2026 - 14:52 vuln.today

Public exploit code

Source Code Evidence Fetched

Apr 30, 2026 - 00:29 vuln.today

Analysis Generated

Apr 30, 2026 - 00:29 vuln.today

Severity Changed

Apr 30, 2026 - 00:22 NVD

HIGH MEDIUM

CVSS changed

Apr 30, 2026 - 00:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Apr 30, 2026 - 00:15 euvd

EUVD-2026-26302

Analysis Generated

Apr 30, 2026 - 00:15 vuln.today

Patch released

Apr 30, 2026 - 00:15 nvd

Patch available

CVE Published

Apr 30, 2026 - 00:00 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.

AnalysisAI

OS command injection in VetCoders mcp-server-semgrep 1.0.0 allows remote unauthenticated attackers to execute arbitrary commands via unsanitized ID arguments passed to multiple analysis functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule) in src/index.ts. The vulnerability stems from unsafe use of child_process.exec() which interpolates user input into shell command strings. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7446 vulnerability details – vuln.today

Back

mcp-server-semgrep CVE-2026-7446

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

mcp-server-semgrep CVE-2026-7446

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code