PT-2026-36030 · Vetcoders · Mcp-Server-Semgrep

Eternity

Published

2026-04-30

Updated

2026-05-02

CVE-2026-7446

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions VetCoders mcp-server-semgrep version 1.0.0

Description Remote OS command injection is possible within the MCP Interface component in the file src/index.ts. The issue occurs when the ID argument is manipulated, affecting the functions analyze results(), filter results(), export results(), compare results(), scan directory(), and create rule().

Recommendations Upgrade to version 1.0.1.

Exploit

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

CVE-2026-7446

GHSA-86HP-QXQP-W9WV

Affected Products

Mcp-Server-Semgrep

PT-2026-36030 · Vetcoders · Mcp-Server-Semgrep

CVE-2026-7446

Weakness Enumeration

Related Identifiers

Affected Products

References · 14