PT-2026-36973 · Code-Mcp · Code-Mcp

Cpt_Penner

Published

2026-05-05

Updated

2026-05-05

CVE-2026-7812

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions 54yyyu code-mcp versions up to 4cfc4643541a110c906d93635b391bf7e357f4a8

Description Remote command injection is possible in the MCP Tool component. A remote attacker can initiate this attack by manipulating the operation argument within the git operation() function located in the src/code mcp/server.py file.

Recommendations As a temporary workaround, restrict access to or disable the git operation() function until a fix is provided.

Exploit

Fix

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

CVE-2026-7812

Affected Products

Code-Mcp

PT-2026-36973 · Code-Mcp · Code-Mcp

CVE-2026-7812

Weakness Enumeration

Related Identifiers

Affected Products

References · 9