CVE-2026-30625

Name of the Vulnerable Software and Affected Versions Upsonic version 0.71.6

Description An issue exists in the MCP server/task creation functionality where users can define MCP tasks with arbitrary command and args values. While an allowlist is implemented, specific permitted commands such as npm and npx accept argument flags that allow the execution of arbitrary OS commands. This can lead to remote code execution with the privileges of the Upsonic process.

Recommendations Update to version 0.72.0. Restrict network access to mitigate risk.