Skip to main content

Godot Mcp

2 CVEs product

Monthly

CVE-2026-15522 LOW POC PATCH Monitor

Path traversal in tugcantopaloglu godot-mcp 2.0.0 allows a local low-privileged user to escape the intended project directory by manipulating the projectPath argument passed to the validatePath function within the run_project component. A public proof-of-concept has been disclosed via GitHub issue #9, raising practical exploitability above the raw CVSS score of 4.8 would suggest. No active exploitation is confirmed by CISA KEV; a vendor-released patch is available in version 3.0.0.

Path Traversal Godot Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-25546 npm HIGH PATCH This Week

Remote code execution in Godot MCP prior to version 0.1.1 results from unsafe shell command execution when processing user-supplied project paths. An unauthenticated attacker can inject shell metacharacters through multiple tools (create_scene, add_node, load_sprite, etc.) to execute arbitrary commands with the privileges of the MCP server process. No patch is currently available for affected deployments.

RCE Command Injection Godot Mcp
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Path traversal in tugcantopaloglu godot-mcp 2.0.0 allows a local low-privileged user to escape the intended project directory by manipulating the projectPath argument passed to the validatePath function within the run_project component. A public proof-of-concept has been disclosed via GitHub issue #9, raising practical exploitability above the raw CVSS score of 4.8 would suggest. No active exploitation is confirmed by CISA KEV; a vendor-released patch is available in version 3.0.0.

Path Traversal Godot Mcp
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Remote code execution in Godot MCP prior to version 0.1.1 results from unsafe shell command execution when processing user-supplied project paths. An unauthenticated attacker can inject shell metacharacters through multiple tools (create_scene, add_node, load_sprite, etc.) to execute arbitrary commands with the privileges of the MCP server process. No patch is currently available for affected deployments.

RCE Command Injection Godot Mcp
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy