CVE-2026-7715

MEDIUM

ravenwits mcp-server-arangodb MCP tools.ts arango_backup path traversal

Title source: cna

Description

A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

Core 6

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360891 | ravenwits mcp-server-arangodb MCP tools.ts arango_backup path traversal

https://vuldb.com/vuln/360891

Signature, Permissions Required signature permissions-required

VDB-360891 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/360891/cti

Third Party Advisory third-party-advisory

Submit #806913 | ravenwits mcp-server-arangodb 0.4.7 Path Traversal

https://vuldb.com/submit/806913

Issue Tracking issue-tracking

https://github.com/ravenwits/mcp-server-arangodb/issues/7

Exploit exploit issue-tracking

https://github.com/BruceJqs/public_exp/issues/34

Product product

https://github.com/ravenwits/mcp-server-arangodb/

Scores

CVSS v3 6.3

EPSS 0.0029

EPSS Percentile 20.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (8)

ravenwits/mcp-server-arangodb 0.4.0

ravenwits/mcp-server-arangodb 0.4.1

ravenwits/mcp-server-arangodb 0.4.2

ravenwits/mcp-server-arangodb 0.4.3

ravenwits/mcp-server-arangodb 0.4.4

ravenwits/mcp-server-arangodb 0.4.5

ravenwits/mcp-server-arangodb 0.4.6

ravenwits/mcp-server-arangodb 0.4.7

Published May 04, 2026

Tracked Since May 04, 2026