Jimeng Mcp
Monthly
Path traversal in jimeng-mcp 1.10.0 allows low-privileged remote attackers to read and write files outside the intended directory by supplying crafted filePath arguments to four distinct API functions: getFileContent, uploadCoverFile, generateImage, and generateVideo in src/api.ts. A publicly available proof-of-concept exploit exists, disclosed via GitHub issue #15, though EPSS at 0.04% (13th percentile) indicates minimal observed mass-exploitation activity to date. No patch has been released and the vendor has not responded to the responsible disclosure, leaving deployments without an official remediation path.
Path traversal in jimeng-mcp 1.10.0 allows low-privileged remote attackers to read and write files outside the intended directory by supplying crafted filePath arguments to four distinct API functions: getFileContent, uploadCoverFile, generateImage, and generateVideo in src/api.ts. A publicly available proof-of-concept exploit exists, disclosed via GitHub issue #15, though EPSS at 0.04% (13th percentile) indicates minimal observed mass-exploitation activity to date. No patch has been released and the vendor has not responded to the responsible disclosure, leaving deployments without an official remediation path.