Which versions of mcp-game-asset-gen are affected by EUVD-2026-26718?

Flux159 mcp-game-asset-gen version 0.1.0 contains a critical path traversal vulnerability that allows unauthenticated remote attackers to read, modify, or delete arbitrary files on affected systems.

Is there a public PoC exploit available for EUVD-2026-26718?

Yes, a public proof-of-concept exploit is available for EUVD-2026-26718. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-26718?

Within 24 hours: Identify all systems running mcp-game-asset-gen 0.1.0 and isolate them from untrusted networks. Within 7 days: Evaluate alternative asset generation solutions or deploy a patched fork if available from the community. Within 30 days: Decommission mcp-game-asset-gen 0.1.0 entirely and migrate to a maintained replacement, or apply network-based input validation controls (see compensating_controls) if business continuity requires continued use pending maintainer patch release.

mcp-game-asset-gen EUVD-2026-26718

Q: What is the CVSS score of EUVD-2026-26718?

EUVD-2026-26718 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-7594 MEDIUM

Path Traversal (CWE-22)

2026-05-01 VulDB

Path Traversal

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 01, 2026 - 21:22 NVD

HIGH MEDIUM

CVSS changed

May 01, 2026 - 21:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

PoC Detected

May 01, 2026 - 21:16 vuln.today

Public exploit code

Analysis Generated

May 01, 2026 - 21:15 vuln.today

EUVD ID Assigned

May 01, 2026 - 21:01 euvd

EUVD-2026-26718

Analysis Generated

May 01, 2026 - 21:01 vuln.today

CVE Published

May 01, 2026 - 20:30 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability was detected in Flux159 mcp-game-asset-gen 0.1.0. Affected is the function image_to_3d_async of the file src/index.ts of the component MCP Interface. The manipulation of the argument statusFile results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in Flux159 mcp-game-asset-gen 0.1.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files via manipulation of the statusFile parameter in the image_to_3d_async function. The vulnerability is confirmed actively exploited with publicly available exploit code (GitHub issue #3). …

RemediationAI

Within 24 hours: Identify all systems running mcp-game-asset-gen 0.1.0 and isolate them from untrusted networks. Within 7 days: Evaluate alternative asset generation solutions or deploy a patched fork if available from the community. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-26718 vulnerability details – vuln.today

Back

mcp-game-asset-gen EUVD-2026-26718

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

mcp-game-asset-gen EUVD-2026-26718

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code