Is there a public PoC exploit available for EUVD-2026-20841?

Yes, a public proof-of-concept exploit is available for EUVD-2026-20841. Prioritise patching immediately. EPSS: 0.2%.

Is there a patch available for EUVD-2026-20841?

Yes, a patch is available for EUVD-2026-20841. Update the affected software to the latest version immediately.

Mcp Server Taskwarrior EUVD-2026-20841

Q: What is the CVSS score of EUVD-2026-20841?

EUVD-2026-20841 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-5833 LOW

Command Injection (CWE-77)

2026-04-09 VulDB

GHSA-95hg-3c55-xf9x

Command Injection Mcp Server Taskwarrior

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 09, 2026 - 04:17 vuln.today

Public exploit code

EUVD ID Assigned

Apr 09, 2026 - 03:30 euvd

EUVD-2026-20841

Analysis Generated

Apr 09, 2026 - 03:30 vuln.today

Patch released

Apr 09, 2026 - 03:30 nvd

Patch available

CVE Published

Apr 09, 2026 - 02:15 nvd

MEDIUM 4.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on mcp-server-taskwarrior (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.0.1.

DescriptionCVE.org

A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Command injection in awwaiid mcp-server-taskwarrior up to version 1.0.1 allows local authenticated attackers to execute arbitrary system commands via manipulation of the Identifier argument in the server.setRequestHandler function of index.ts. Publicly available exploit code exists, and the vendor has released a patched version following responsible disclosure practices. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 5.3 with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L indicates local attack vector requiring low privileges (PR:L), low attack complexity, and no user interaction-factors that reduce theoretical barrier to exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with local shell access to a system running mcp-server-taskwarrior crafts a malicious request to the setRequestHandler function, embedding shell metacharacters (e.g., backticks, pipe operators, or semicolons) within the Identifier parameter. When the server processes the request without sanitization, the injected commands execute with the privileges of the mcp-server-taskwarrior process, allowing the attacker to read sensitive files, modify task data, or escalate privileges. …
Remediation	Vendor-released patch: upgrade to the version incorporating commit 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2, which sanitizes the Identifier argument before passing it to command execution functions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-20841 vulnerability details – vuln.today

Back