CVE-2026-5802

HIGH

idachev mcp-javadc HTTP os command injection

Title source: cna

Description

A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/356241

[Signature, Permissions Required] https://vuldb.com/vuln/356241/cti

[Third Party Advisory] https://vuldb.com/submit/786974

[Issue Tracking] https://github.com/idachev/mcp-javadc/issues/7

[Exploit] https://github.com/BruceJqs/public_exp/issues/2

[Product] https://github.com/idachev/mcp-javadc/

Scores

CVSS v3 7.3

EPSS 0.0176

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-77 CWE-78

Status published

Products (5)

idachev/mcp-javadc 1.2.0

idachev/mcp-javadc 1.2.1

idachev/mcp-javadc 1.2.2

idachev/mcp-javadc 1.2.3

idachev/mcp-javadc 1.2.4

Published Apr 08, 2026

Tracked Since Apr 09, 2026