CVE-2026-7812
HIGH54yyyu code-mcp MCP Tool server.py git_operation command injection
Title source: cnaDescription
A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-361072 | 54yyyu code-mcp MCP Tool server.py git_operation command injection
https://vuldb.com/vuln/361072
Signature, Permissions Required signature
permissions-required
VDB-361072 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/361072/cti
Third Party Advisory third-party-advisory
Submit #807752 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Command Injection
https://vuldb.com/submit/807752
Exploit exploit
issue-tracking
https://github.com/54yyyu/code-mcp/issues/5
Product product
https://github.com/54yyyu/code-mcp/
Scores
CVSS v3
7.3
EPSS
0.0134
EPSS Percentile
67.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (1)
54yyyu/code-mcp
4cfc4643541a110c906d93635b391bf7e357f4a8
Published
May 05, 2026
Tracked Since
May 05, 2026