Skip to main content

Windows Mcp

1 CVEs product

Monthly

CVE-2026-48989 PyPI HIGH PATCH GHSA This Week

Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.

Authentication Bypass Microsoft Windows Mcp
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.4%
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.

Authentication Bypass Microsoft Windows Mcp
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy