Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
OS command injection in chatboxai chatbox up to version 1.20.0 allows remote attackers to execute arbitrary system commands by manipulating the args/env parameters in the StdioClientTransport component of the Model Context Protocol Server Management System. The vulnerability has a publicly available proof-of-concept exploit and affects the IPC stdio transport mechanism that handles subprocess spawning without proper input sanitization. While the vendor was notified early, no patch has been released as of the analysis date.
Technical ContextAI
The vulnerability exists in the StdioClientTransport class within src/main/mcp/ipc-stdio-transport.ts, which is responsible for managing inter-process communication via standard input/output in the Model Context Protocol (MCP) implementation. This component spawns and manages subprocess execution, likely using Node.js child_process APIs. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that user-controlled input-specifically the 'args' and 'env' parameters-is passed directly to OS command execution without adequate validation or escaping. The attack surface is exposed through the MCP Server Management System, which handles protocol communication that may originate from remote sources. The vulnerability stems from insufficient input sanitization before these parameters are used in subprocess initialization calls.
RemediationAI
Immediate remediation requires upgrading chatboxai chatbox to a version newer than 1.20.0 if a patched release becomes available; monitor the official GitHub repository and releases page for updates. In the interim, restrict network access to the MCP Server Management System and the StdioClientTransport endpoint to trusted sources only, using network segmentation, firewall rules, or access control lists. Disable or isolate chatbox instances that are exposed to untrusted networks or the public internet until a patch is released. Review and audit any subprocess spawning in chatbox configuration to ensure args and env parameters are not derived from user input without validation. Subscribe to security notifications on the GitHub repository (https://github.com/chatboxai/chatbox) and VulDB (https://vuldb.com/vuln/356993) for patch announcements.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21746