CVE-2026-4496
MEDIUMsigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
Title source: cnaDescription
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
References (7)
Core 7
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-352045 | sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
https://vuldb.com/?id.352045
Signature, Permissions Required signature
permissions-required
VDB-352045 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/?ctiid.352045
Third Party Advisory third-party-advisory
Submit #773796 | sigmade Git-MCP-Server <=1.0.0 Command Injection
https://vuldb.com/?submit.773796
Issue Tracking issue-tracking
https://github.com/sigmade/Git-MCP-Server/issues/1
Patch issue-tracking
patch
https://github.com/sigmade/Git-MCP-Server/pull/2
Product product
https://github.com/sigmade/Git-MCP-Server/
Scores
CVSS v3
5.3
EPSS
0.0070
EPSS Percentile
48.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (1)
sigmade/Git-MCP-Server
785aa159f262a02d5791a5d8a8e13c507ac42880
Published
Mar 20, 2026
Tracked Since
Mar 21, 2026