Skip to main content

mcp-code-review-server EUVD-2026-26787

| CVE-2026-7628 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-02 cna@vuldb.com
Command Injection
2.1
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 02, 2026 - 12:32 vuln.today
Analysis Generated
May 02, 2026 - 12:32 vuln.today
EUVD ID Assigned
May 02, 2026 - 12:22 euvd
EUVD-2026-26787
Analysis Generated
May 02, 2026 - 12:22 vuln.today
CVE Published
May 02, 2026 - 12:16 nvd
LOW 2.1

DescriptionNVD

A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Remote command injection in crazyrabbitLTC mcp-code-review-server up to version 0.1.0 allows authenticated attackers to execute arbitrary system commands via manipulation of the executeRepomix function in the RepoMix Command Handler. The vulnerability stems from unsafe use of the exec() function with unsanitized user-supplied options. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-26787 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy