CVE-2026-7627

Name of the Vulnerable Software and Affected Versions 8nite metatrader-4-mcp version 1.0.0

Description A path traversal issue exists in the sync ea from file component within the CallToolRequestSchema() function located in the src/index.ts file. Remote attackers can exploit this by manipulating the ea name argument. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash (../) sequences.

Recommendations As a temporary workaround, restrict the use of the ea name argument in the CallToolRequestSchema() function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.