Skip to main content

Roslyn Codelens Mcp

1 CVEs product

Monthly

CVE-2026-45555 HIGH PATCH This Week

Arbitrary code execution in Roslyn CodeLens MCP Server versions 0.0.9 through 1.17.0 allows attackers to run code in the MCP server process by tricking a victim into opening a malicious .NET solution. The get_diagnostics tool automatically loads and executes any DiagnosticAnalyzer DLL referenced by a .csproj without allowlist, signature validation, or user prompt, and includeAnalyzers defaults to true. No public exploit identified at time of analysis, but the attack pattern (malicious project file + attacker-controlled DLL) is well understood and trivial to weaponize.

RCE Code Injection Roslyn Codelens Mcp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in Roslyn CodeLens MCP Server versions 0.0.9 through 1.17.0 allows attackers to run code in the MCP server process by tricking a victim into opening a malicious .NET solution. The get_diagnostics tool automatically loads and executes any DiagnosticAnalyzer DLL referenced by a .csproj without allowlist, signature validation, or user prompt, and includeAnalyzers defaults to true. No public exploit identified at time of analysis, but the attack pattern (malicious project file + attacker-controlled DLL) is well understood and trivial to weaponize.

RCE Code Injection Roslyn Codelens Mcp
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy