Home

Description

A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-05 | Updated 2026-05-05 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Command Injection

Injection

Product status

4cfc4643541a110c906d93635b391bf7e357f4a8
affected

Timeline

2026-05-04:Advisory disclosed
2026-05-04:VulDB entry created
2026-05-04:VulDB entry last update

Credits

CPT_Penner (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/361072 (VDB-361072 | 54yyyu code-mcp MCP Tool server.py git_operation command injection) vdb-entry technical-description

vuldb.com/vuln/361072/cti (VDB-361072 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/807752 (Submit #807752 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Command Injection) third-party-advisory

github.com/54yyyu/code-mcp/issues/5 exploit issue-tracking

github.com/54yyyu/code-mcp/ product

cve.org (CVE-2026-7812)

nvd.nist.gov (CVE-2026-7812)

Download JSON