Is there a public PoC exploit available for EUVD-2026-18202?

Yes, a public proof-of-concept exploit is available for EUVD-2026-18202. Prioritise patching immediately. EPSS: 0.9%.

Fast Filesystem Mcp EUVD-2026-18202

Q: What is the CVSS score of EUVD-2026-18202?

EUVD-2026-18202 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.9%.

| CVE-2026-5327 LOW

Command Injection (CWE-77)

2026-04-02 VulDB

Command Injection Fast Filesystem Mcp

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 03, 2026 - 16:10 vuln.today

Public exploit code

EUVD ID Assigned

Apr 02, 2026 - 12:00 euvd

EUVD-2026-18202

Analysis Generated

Apr 02, 2026 - 12:00 vuln.today

CVE Published

Apr 02, 2026 - 11:45 nvd

MEDIUM 5.3

DescriptionCVE.org

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Command injection in efforthye fast-filesystem-mcp up to version 3.5.1 allows authenticated remote attackers to execute arbitrary system commands via the handleGetDiskUsage function in src/index.ts. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code and no vendor patch released despite early notification through issue tracking. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 6.3 is moderate, multiple risk signals elevate practical concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user with legitimate access to an efforthye fast-filesystem-mcp application crafts a request to the handleGetDiskUsage function containing shell metacharacters (e.g., backticks, pipes, command separators) in the input parameters. Due to insufficient input sanitization, the injected commands are executed with the privileges of the application process, allowing the attacker to read sensitive files, modify data, or establish reverse shells. …
Remediation	No vendor-released patch identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-18202 vulnerability details – vuln.today

Back