Skip to main content

Mcp Server Semgrep

1 CVEs product

Monthly

CVE-2026-7446 npm MEDIUM POC PATCH This Month

OS command injection in VetCoders mcp-server-semgrep 1.0.0 allows remote unauthenticated attackers to execute arbitrary commands via unsanitized ID arguments passed to multiple analysis functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule) in src/index.ts. The vulnerability stems from unsafe use of child_process.exec() which interpolates user input into shell command strings. Publicly available exploit code exists, and vendor-released patch version 1.0.1 is available.

Command Injection Mcp Server Semgrep
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.8%
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

OS command injection in VetCoders mcp-server-semgrep 1.0.0 allows remote unauthenticated attackers to execute arbitrary commands via unsanitized ID arguments passed to multiple analysis functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule) in src/index.ts. The vulnerability stems from unsafe use of child_process.exec() which interpolates user input into shell command strings. Publicly available exploit code exists, and vendor-released patch version 1.0.1 is available.

Command Injection Mcp Server Semgrep
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy