Skip to main content

awesome-cursor-mpc-server CVE-2026-7629

| EUVDEUVD-2026-26791 LOW
Command Injection (CWE-77)
2026-05-02 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
May 02, 2026 - 14:22 NVD
MEDIUM LOW
CVSS changed
May 02, 2026 - 14:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 02, 2026 - 14:16 vuln.today
Public exploit code
Source Code Evidence Fetched
May 02, 2026 - 14:00 vuln.today
Analysis Generated
May 02, 2026 - 14:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 13:30 euvd
EUVD-2026-26791
Analysis Generated
May 02, 2026 - 13:30 vuln.today
Patch released
May 02, 2026 - 13:30 nvd
Patch available
CVE Published
May 02, 2026 - 13:00 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Command injection in awesome-cursor-mpc-server up to version 2.0.1 allows authenticated remote attackers to execute arbitrary system commands via the Code-Review Tool's runCodeReviewTool function in src/tools/codeReview.ts. The vulnerability stems from unsafe use of execSync with user-controlled input in git command construction. Publicly available exploit code exists, and a patch via PR #14 is available from the vendor, though formal release status is not confirmed.

Technical ContextAI

The vulnerability exists in the runCodeReviewTool function which constructs and executes shell commands using Node.js execSync from the child_process module. The flaw occurs when user-controlled input (the folderPath parameter) is interpolated directly into a template-literal shell command string passed to execSync, rather than using parameterized command execution. This violates secure coding practices for command invocation-execSync evaluates the entire command string through a shell interpreter, allowing shell metacharacters in the input to break out of the intended command structure. The fix (PR #14) replaces execSync with execFileSync and uses an array-based argument list, which prevents shell interpretation of metacharacters. CWE-77 classifies this as improper neutralization of special elements used in a command (Command Injection).

RemediationAI

Upgrade awesome-cursor-mpc-server to a version incorporating the fix from PR #14 (replace execSync with execFileSync and use array-based argument passing) once a formal release is available from the vendor. Monitor the GitHub repository (https://github.com/kleneway/awesome-cursor-mpc-server/) for release announcements. Until a patched release is available, restrict network and API access to the Code-Review Tool endpoint to trusted internal networks only, limit authenticated user accounts to administrative personnel, and disable the Code-Review Tool feature if not actively used. These compensating controls reduce the attack surface but do not eliminate the vulnerability; a code-level patch is the permanent remediation. Review git diff operations in your deployment for any unsanitized user input passed to the folderPath parameter.

Share

CVE-2026-7629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy