EUVD-2026-21746

| CVE-2026-6130 MEDIUM
2026-04-12 VulDB
6.9
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 12, 2026 - 22:24 vuln.today
Severity Changed
Apr 12, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS Changed
Apr 12, 2026 - 22:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)

Tags

Command Injection Chatbox

Description

A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Analysis

OS command injection in chatboxai chatbox up to version 1.20.0 allows remote attackers to execute arbitrary system commands by manipulating the args/env parameters in the StdioClientTransport component of the Model Context Protocol Server Management System. The vulnerability has a publicly available proof-of-concept exploit and affects the IPC stdio transport mechanism that handles subprocess spawning without proper input sanitization. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

54
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +34
POC: +20

Share

EUVD-2026-21746 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy