Code Mcp
Monthly
Command injection in code-mcp's git_operation function allows remote attackers to execute arbitrary system commands by manipulating the operation argument. The vulnerability affects all versions up to commit 4cfc4643541a110c906d93635b391bf7e357f4a8 and has publicly available exploit code. Continuous delivery model means no versioned releases exist, complicating patching timelines.
Path traversal vulnerability in 54yyyu code-mcp's MCP File Handler (function is_safe_path in src/code_mcp/server.py) allows remote unauthenticated attackers to access files outside intended directories with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the project uses rolling releases without versioned releases, and the vendor has not yet responded to early disclosure.
Command injection in code-mcp's git_operation function allows remote attackers to execute arbitrary system commands by manipulating the operation argument. The vulnerability affects all versions up to commit 4cfc4643541a110c906d93635b391bf7e357f4a8 and has publicly available exploit code. Continuous delivery model means no versioned releases exist, complicating patching timelines.
Path traversal vulnerability in 54yyyu code-mcp's MCP File Handler (function is_safe_path in src/code_mcp/server.py) allows remote unauthenticated attackers to access files outside intended directories with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the project uses rolling releases without versioned releases, and the vendor has not yet responded to early disclosure.