PT-2026-35150 · Unknown · Gitpilot-Mcp
Bigw
·
Published
2026-04-25
·
Updated
2026-04-25
·
CVE-2026-6980
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Divyanshu-hash GitPilot-MCP versions up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd
Description
Remote command injection is possible through the manipulation of the
command argument. This issue impacts the repo path() function within the main.py file, allowing an attacker to execute arbitrary commands remotely.Recommendations
As a temporary workaround, consider restricting the use of the
repo path() function until a fix is available.Exploit
Fix
Special Elements Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitpilot-Mcp