Excel Mcp
Monthly
Path traversal in ishayoyo excel-mcp (all versions through 1.0.2) allows remote low-privileged attackers to read or write arbitrary files on the host system by manipulating the filePath or outputPath arguments passed to the read_file and write_file MCP tool handlers in src/index.ts. The CVSS 4.0 score is 2.1 (Low), but a publicly available proof-of-concept exploit exists via a GitHub issue disclosure, and no vendor patch has been released - the maintainer has not responded to the responsible disclosure report. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis.
Path traversal in ishayoyo excel-mcp (all versions through 1.0.2) allows remote low-privileged attackers to read or write arbitrary files on the host system by manipulating the filePath or outputPath arguments passed to the read_file and write_file MCP tool handlers in src/index.ts. The CVSS 4.0 score is 2.1 (Low), but a publicly available proof-of-concept exploit exists via a GitHub issue disclosure, and no vendor patch has been released - the maintainer has not responded to the responsible disclosure report. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis.