CVE-2026-44717 | THREATINT

Description

MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical expressions without proper input sanitization leads to remote code execution. This vulnerability is fixed in 0.1.1.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-15 | Updated 2026-05-15 | Assigner GitHub_M

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-1427:

Product status

< 0.1.1

affected

References

github.com/...server/security/advisories/GHSA-2mgq-7rfg-rwpj

cve.org (CVE-2026-44717)

nvd.nist.gov (CVE-2026-44717)

Download JSON