CVE-2026-7038

LOW

tufantunc ssh-mcp Command Line index.ts insufficiently protected credentials

Title source: cna

Description

A weakness has been identified in tufantunc ssh-mcp up to 1.5.0. Impacted is an unknown function of the file src/index.ts of the component Command Line Handler. This manipulation causes insufficiently protected credentials. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Vdb Entry] https://vuldb.com/vuln/359618

[Signature, Permissions Required] https://vuldb.com/vuln/359618/cti

[Third Party Advisory] https://vuldb.com/submit/798525

[Exploit] https://github.com/tufantunc/ssh-mcp/issues/42

[Product] https://github.com/tufantunc/ssh-mcp/

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (6)

tufantunc/ssh-mcp 1.0

tufantunc/ssh-mcp 1.1

tufantunc/ssh-mcp 1.2

tufantunc/ssh-mcp 1.3

tufantunc/ssh-mcp 1.4

tufantunc/ssh-mcp 1.5.0

Published Apr 26, 2026

Tracked Since Apr 26, 2026