CVE-2026-7446
HIGHVetCoders mcp-server-semgrep MCP index.ts create_rule os command injection
Title source: cnaDescription
A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-360187 | VetCoders mcp-server-semgrep MCP index.ts create_rule os command injection
https://vuldb.com/vuln/360187
Signature, Permissions Required signature
permissions-required
VDB-360187 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/360187/cti
Third Party Advisory third-party-advisory
Submit #804100 | VetCoders mcp-server-semgrep 1.0.0 Command Injection
https://vuldb.com/submit/804100
Patch issue-tracking
patch
https://github.com/VetCoders/mcp-server-semgrep/pull/15
Patch patch
https://github.com/VetCoders/mcp-server-semgrep/commit/141335da044e53c3f5b315e0386e01238405b771
Product product
https://github.com/VetCoders/mcp-server-semgrep/
Exploit exploit
issue-tracking
https://github.com/VetCoders/mcp-server-semgrep/issues/12
Scores
CVSS v3
7.3
EPSS
0.0139
EPSS Percentile
68.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (3)
npm/mcp-server-semgrep
0 - 1.0.1npm
VetCoders/mcp-server-semgrep
1.0.0
VetCoders/mcp-server-semgrep
1.0.1
Published
Apr 30, 2026
Tracked Since
Apr 30, 2026