CVE-2026-2178

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions r-huijts xcode-mcp-server versions up to f3419f00117aa9949e326f78cc940166c88f18cb

Description A command injection issue exists in the registerXcodeTools function within the src/tools/xcode/index.ts file of the run lldb component. Manipulation of the args argument can lead to remote command execution. The exploit has been publicly released.

Recommendations Apply the patch identified as 11f8d6bacadd153beee649f92a78a9dad761f56f to resolve this issue.

Exploit

Fix

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-77

Related Identifiers

CVE-2026-2178

GHSA-84FX-PWF3-7777

Affected Products

Lldb

Xcode-Mcp-Server

CVE-2026-2178

Weakness Enumeration

Related Identifiers

Affected Products

References · 13