Skip to main content

yii2-mcp-server CVE-2026-7600

| EUVDEUVD-2026-26725 LOW
OS Command Injection (CWE-78)
2026-05-02 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 02, 2026 - 01:22 NVD
MEDIUM LOW
CVSS changed
May 02, 2026 - 01:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 02, 2026 - 01:16 vuln.today
Public exploit code
Analysis Generated
May 02, 2026 - 01:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 00:30 euvd
EUVD-2026-26725
Analysis Generated
May 02, 2026 - 00:30 vuln.today
CVE Published
May 02, 2026 - 00:15 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Remote OS command injection in ArtMin96 yii2-mcp-server 1.0.2 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the yii_command_help or yii_execute_command functions in the MCP Interface component. Exploit code is publicly available, and the vendor has not yet responded to early disclosure through issue reporting.

Technical ContextAI

The yii2-mcp-server is a Model Context Protocol (MCP) interface implementation for the Yii2 framework. The vulnerability exists in src/index.ts within the MCP Interface component, specifically in the functions handling yii_command_help and yii_execute_command. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that user-supplied input is not properly sanitized before being passed to OS command execution functions. This is a classic command injection flaw where special shell metacharacters (pipe, semicolon, backticks, dollar signs for variable expansion) are not escaped or validated, allowing attackers to break out of the intended command context and inject arbitrary commands.

RemediationAI

Immediate patch availability from the vendor is not confirmed; the project maintainer has not responded to the early disclosure issue. Users should: (1) Upgrade to the latest available version if one exists beyond 1.0.2 by checking the official GitHub repository at https://github.com/ArtMin96/yii2-mcp-server for recent commits or releases; (2) If no patch is available, restrict network access to the yii2-mcp-server MCP interface using firewall rules, limiting inbound connections to trusted IP ranges only; (3) Implement strict input validation and sanitization in any wrapper code that calls yii_command_help or yii_execute_command, using parameterized commands or shell argument arrays instead of string concatenation; (4) Consider replacing yii2-mcp-server with an actively maintained alternative if the maintainer does not release a security fix within 30 days; (5) Monitor the GitHub issue https://github.com/ArtMin96/yii2-mcp-server/issues/3 for vendor response or community-provided patches. Each of these controls trades off between functionality (firewall rules may block legitimate MCP clients) and effort (input validation requires code review and testing).

Share

CVE-2026-7600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy