CVE-2026-4496
MEDIUMsigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
Title source: cnaDescription
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
References (7)
Scores
CVSS v3
5.3
EPSS
0.0037
EPSS Percentile
58.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (1)
sigmade/Git-MCP-Server
785aa159f262a02d5791a5d8a8e13c507ac42880
Published
Mar 20, 2026
Tracked Since
Mar 21, 2026