Skip to main content

EUVDEUVD-2026-20623

| CVE-2026-5802 MEDIUM
Command Injection (CWE-77)
2026-04-08 cna@vuldb.com GHSA-r8rp-hx65-58jj
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20623
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Remote code execution in idachev mcp-javadc up to version 1.2.4 allows unauthenticated attackers to inject arbitrary operating system commands through the jarFilePath parameter in the HTTP Interface, with publicly available exploit code and a moderate CVSS score of 6.9 reflecting limited confidentiality, integrity, and availability impact.

Technical ContextAI

The vulnerability exists in the HTTP Interface component of mcp-javadc, a Java-based tool for managing classpath dependencies. The root cause is improper input validation (CWE-77: Improper Neutralization of Special Elements used in a Command) on the jarFilePath argument, which is passed to an OS command execution function without sufficient sanitization. This allows attackers to break out of the intended command context and inject arbitrary shell commands. The affected product is identified by CPE targeting idachev mcp-javadc versions through 1.2.4, accessible via the project's GitHub repository at https://github.com/idachev/mcp-javadc/.

RemediationAI

Upgrade idachev mcp-javadc to a version newer than 1.2.4 if a patched release is available; however, no specific patched version was confirmed in available data as of this analysis. Users should contact the project maintainer or monitor the GitHub repository for a security fix. In the interim, restrict network access to the HTTP Interface to trusted hosts only, disable or remove the HTTP Interface if not required, and implement input validation and command injection filters at the application or network perimeter level. Reference the project issue tracker at https://github.com/idachev/mcp-javadc/issues/7 for remediation guidance from the maintainer.

Share

EUVD-2026-20623 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy