Which versions of GitPilot-MCP are affected by EUVD-2026-25656?

GitPilot-MCP contains a remote command injection vulnerability (CVE-2026-6980) that allows unauthenticated attackers to execute arbitrary system commands with limited privileges through the repo_path…

Is there a public PoC exploit available for EUVD-2026-25656?

Yes, a public proof-of-concept exploit is available for EUVD-2026-25656. Prioritise patching immediately. EPSS: 1.0%.

GitPilot-MCP EUVD-2026-25656

Q: What is the CVSS score of EUVD-2026-25656?

EUVD-2026-25656 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.0%.

| CVE-2026-6980 MEDIUM

Command Injection (CWE-77)

2026-04-25 VulDB

Command Injection

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 25, 2026 - 14:22 NVD

HIGH MEDIUM

CVSS changed

Apr 25, 2026 - 14:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 25, 2026 - 14:00 vuln.today

EUVD ID Assigned

Apr 25, 2026 - 13:45 euvd

EUVD-2026-25656

Analysis Generated

Apr 25, 2026 - 13:45 vuln.today

CVE Published

Apr 25, 2026 - 13:00 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote command injection in GitPilot-MCP allows unauthenticated attackers to execute arbitrary system commands via the repo_path function in main.py. The vulnerability affects all versions up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd, with publicly available exploit code demonstrating practical exploitation. …

RemediationAI

Within 24 hours: Identify all systems running GitPilot-MCP and isolate affected instances from production networks; inventory current deployment versions against commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd. Within 7 days: Implement network segmentation to restrict access to GitPilot-MCP endpoints to authorized users only; deploy Web Application Firewall (WAF) rules to block repo_path function calls with suspicious input patterns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-25656 vulnerability details – vuln.today

Back

GitPilot-MCP EUVD-2026-25656

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

GitPilot-MCP EUVD-2026-25656

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code