Is there a public PoC exploit available for CVE-2026-7738?

Yes, a public proof-of-concept exploit is available for CVE-2026-7738. Prioritise patching immediately. EPSS: 0.1%.

puchunjie doc-tools-mcp CVE-2026-7738

Q: What is the CVSS score of CVE-2026-7738?

CVE-2026-7738 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-26919 LOW

Path Traversal (CWE-22)

2026-05-04 VulDB

Path Traversal

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

May 04, 2026 - 15:17 vuln.today

Public exploit code

Analysis Generated

May 04, 2026 - 07:31 vuln.today

Severity Changed

May 04, 2026 - 07:22 NVD

MEDIUM LOW

CVSS changed

May 04, 2026 - 07:22 NVD

6.3 (MEDIUM) 2.1 (LOW)

EUVD ID Assigned

May 04, 2026 - 07:00 euvd

EUVD-2026-26919

Analysis Generated

May 04, 2026 - 07:00 vuln.today

CVE Published

May 04, 2026 - 06:00 nvd

LOW 2.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on @puchunjie/doc-tools-mcp (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.0.18.

DescriptionNVD

A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in puchunjie doc-tools-mcp 1.0.18 MCP Interface allows authenticated remote attackers to access arbitrary files on the system via manipulation of the filePath argument in create_document and open_document functions. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7738 vulnerability details – vuln.today

Back