CVE-2026-7064

HIGH

AgentDeskAI browser-tools-mcp browser-connector.ts os command injection

Title source: cna

Description

A flaw has been found in AgentDeskAI browser-tools-mcp up to 1.2.0. This issue affects some unknown processing of the file browser-tools-server/browser-connector.ts. Executing a manipulation can lead to os command injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Vdb Entry] https://vuldb.com/vuln/359639

[Signature, Permissions Required] https://vuldb.com/vuln/359639/cti

[Third Party Advisory] https://vuldb.com/submit/798616

[Exploit] https://github.com/AgentDeskAI/browser-tools-mcp/issues/232

[Product] https://github.com/AgentDeskAI/browser-tools-mcp/

Scores

CVSS v3 7.3

EPSS 0.0030

EPSS Percentile 53.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-77 CWE-78

Status published

Products (3)

AgentDeskAI/browser-tools-mcp 1.0

AgentDeskAI/browser-tools-mcp 1.1

AgentDeskAI/browser-tools-mcp 1.2.0

Published Apr 26, 2026

Tracked Since Apr 27, 2026