Which versions of gmx-vmd-mcp are affected by EUVD-2026-25971?

CVE-2026-7215 is a high-severity remote command injection vulnerability in egtai gmx-vmd-mcp that allows unauthenticated attackers to execute arbitrary commands on systems running the affected…

Is there a public PoC exploit available for EUVD-2026-25971?

Yes, a public proof-of-concept exploit is available for EUVD-2026-25971. Prioritise patching immediately. EPSS: 1.0%.

gmx-vmd-mcp EUVD-2026-25971

Q: What is the CVSS score of EUVD-2026-25971?

EUVD-2026-25971 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.0%.

| CVE-2026-7215 MEDIUM

Command Injection (CWE-77)

2026-04-28 VulDB

Command Injection

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 28, 2026 - 03:22 NVD

HIGH MEDIUM

CVSS changed

Apr 28, 2026 - 03:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 28, 2026 - 03:15 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 03:00 euvd

EUVD-2026-25971

Analysis Generated

Apr 28, 2026 - 03:00 vuln.today

CVE Published

Apr 28, 2026 - 02:00 nvd

MEDIUM 5.5

DescriptionNVD

A security flaw has been discovered in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Remote command injection in egtai gmx-vmd-mcp through version 0.1.0 enables unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads into the structure_file or trajectory_file parameters of the VMD Launch Handler in mcp_server.py. A public proof-of-concept exploit exists (GitHub issue #2), significantly lowering the barrier to exploitation. …

RemediationAI

Within 24 hours: Identify all systems running egtai gmx-vmd-mcp version 0.1.0 or earlier and isolate them from production networks pending remediation. Within 7 days: Disable or uninstall gmx-vmd-mcp if not actively required; if required, implement network-level access controls restricting mcp_server.py to trusted internal networks only and disable direct remote access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-25971 vulnerability details – vuln.today

Back

gmx-vmd-mcp EUVD-2026-25971

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

gmx-vmd-mcp EUVD-2026-25971

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code