CVE-2026-7400

HIGH

geekgod382 filesystem-mcp-server read_file_tool/write_file_tool server.py is_path_allowed path traversal

Title source: cna

Description

A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.

References (7)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/360123

[Signature, Permissions Required] https://vuldb.com/vuln/360123/cti

[Third Party Advisory] https://vuldb.com/submit/803495

[Exploit] https://github.com/geekgod382/filesystem-mcp-server/issues/1

[Patch] https://github.com/geekgod382/filesystem-mcp-server/commit/45364545fc60dc80aadcd4379f08042d3d3d292e

View Patch ZIP pw:eip

[Patch] https://github.com/geekgod382/filesystem-mcp-server/releases/tag/v1.1.0

[Product] https://github.com/geekgod382/filesystem-mcp-server/

Scores

CVSS v3 7.3

EPSS 0.0005

EPSS Percentile 15.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

geekgod382/filesystem-mcp-server 1.0.0

geekgod382/filesystem-mcp-server 1.1.0

Published Apr 29, 2026

Tracked Since Apr 30, 2026