Is there a public PoC exploit available for EUVD-2026-19136?

Yes, a public proof-of-concept exploit is available for EUVD-2026-19136. Prioritise patching immediately. EPSS: 0.1%.

Is there a patch available for EUVD-2026-19136?

Yes, a patch is available for EUVD-2026-19136. Update the affected software to the latest version immediately.

Magento2 Dev Mcp EUVD-2026-19136

Q: What is the CVSS score of EUVD-2026-19136?

EUVD-2026-19136 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-5603 LOW

OS Command Injection (CWE-78)

2026-04-05 VulDB

GHSA-xqv9-qr76-hfq2

Command Injection Magento2 Dev Mcp

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 05, 2026 - 23:00 euvd

EUVD-2026-19136

Analysis Generated

Apr 05, 2026 - 23:00 vuln.today

Patch released

Apr 05, 2026 - 23:00 nvd

Patch available

CVE Published

Apr 05, 2026 - 22:30 nvd

MEDIUM 4.8

DescriptionCVE.org

A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue.

AnalysisAI

OS command injection in elgentos magento2-dev-mcp up to version 1.0.2 allows local authenticated users to execute arbitrary system commands through the executeMagerun2Command function in src/index.ts. The vulnerability requires local access and valid user privileges but grants low-impact code execution capabilities. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS v4.0 base score of 4.8 (low-to-moderate) reflects the limited impact (VC:L/VI:L/VA:L), the presence of publicly available exploit code and local attack vector elevates real-world concern for development teams. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A developer with local access to a machine or CI/CD pipeline runner executing magento2-dev-mcp can craft a malicious argument to the executeMagerun2Command function that includes shell metacharacters (e.g., backticks, semicolons, or pipe operators). When the function processes this input without sanitization, the injected commands execute with the privileges of the user running the tool. …
Remediation	Vendor-released patch: update elgentos magento2-dev-mcp to a version containing commit aa1ffcc0aea1b212c69787391783af27df15ae9d or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19136 vulnerability details – vuln.today

Back