CVE-2026-10691

Source
https://cve.org/CVERecord?id=CVE-2026-10691
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10691.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10691
Aliases
Published
2026-06-02T23:30:14.612Z
Modified
2026-07-10T17:41:40.763012806Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos
Details

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.2.39 will fix this issue. The patch is named 4ce845f8749b6a159b57b38dcc3357f7222a8078. It is suggested to upgrade the affected component.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "0.2.8"
                },
                {
                    "last_affected": "0.2.8"
                },
                {
                    "introduced": "0.2.10"
                },
                {
                    "last_affected": "0.2.10"
                },
                {
                    "introduced": "0.2.12"
                },
                {
                    "last_affected": "0.2.12"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10691.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/wonderwhy-er/desktopcommandermcp

Affected ranges

Type
GIT
Repo
https://github.com/wonderwhy-er/desktopcommandermcp
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.2.0"
        },
        {
            "last_affected": "0.2.0"
        },
        {
            "introduced": "0.2.1"
        },
        {
            "last_affected": "0.2.1"
        },
        {
            "introduced": "0.2.2"
        },
        {
            "last_affected": "0.2.2"
        },
        {
            "introduced": "0.2.3"
        },
        {
            "last_affected": "0.2.3"
        },
        {
            "introduced": "0.2.4"
        },
        {
            "last_affected": "0.2.4"
        },
        {
            "introduced": "0.2.5"
        },
        {
            "last_affected": "0.2.5"
        },
        {
            "introduced": "0.2.6"
        },
        {
            "last_affected": "0.2.6"
        },
        {
            "introduced": "0.2.7"
        },
        {
            "last_affected": "0.2.7"
        },
        {
            "introduced": "0.2.9"
        },
        {
            "last_affected": "0.2.9"
        },
        {
            "introduced": "0.2.11"
        },
        {
            "last_affected": "0.2.11"
        },
        {
            "introduced": "0.2.13"
        },
        {
            "last_affected": "0.2.13"
        },
        {
            "introduced": "0.2.14"
        },
        {
            "last_affected": "0.2.14"
        },
        {
            "introduced": "0.2.15"
        },
        {
            "last_affected": "0.2.15"
        },
        {
            "introduced": "0.2.16"
        },
        {
            "last_affected": "0.2.16"
        },
        {
            "introduced": "0.2.17"
        },
        {
            "last_affected": "0.2.17"
        },
        {
            "introduced": "0.2.18"
        },
        {
            "last_affected": "0.2.18"
        },
        {
            "introduced": "0.2.19"
        },
        {
            "last_affected": "0.2.19"
        },
        {
            "introduced": "0.2.20"
        },
        {
            "last_affected": "0.2.20"
        },
        {
            "introduced": "0.2.21"
        },
        {
            "last_affected": "0.2.21"
        },
        {
            "introduced": "0.2.22"
        },
        {
            "last_affected": "0.2.22"
        },
        {
            "introduced": "0.2.23"
        },
        {
            "last_affected": "0.2.23"
        },
        {
            "introduced": "0.2.24"
        },
        {
            "last_affected": "0.2.24"
        },
        {
            "introduced": "0.2.25"
        },
        {
            "last_affected": "0.2.25"
        },
        {
            "introduced": "0.2.26"
        },
        {
            "last_affected": "0.2.26"
        },
        {
            "introduced": "0.2.27"
        },
        {
            "last_affected": "0.2.27"
        },
        {
            "introduced": "0.2.28"
        },
        {
            "last_affected": "0.2.28"
        },
        {
            "introduced": "0.2.29"
        },
        {
            "last_affected": "0.2.29"
        },
        {
            "introduced": "0.2.30"
        },
        {
            "last_affected": "0.2.30"
        },
        {
            "introduced": "0.2.31"
        },
        {
            "last_affected": "0.2.31"
        },
        {
            "introduced": "0.2.32"
        },
        {
            "last_affected": "0.2.32"
        },
        {
            "introduced": "0.2.33"
        },
        {
            "last_affected": "0.2.33"
        },
        {
            "introduced": "0.2.34"
        },
        {
            "last_affected": "0.2.34"
        },
        {
            "introduced": "0.2.35"
        },
        {
            "last_affected": "0.2.35"
        },
        {
            "introduced": "0.2.36"
        },
        {
            "last_affected": "0.2.36"
        },
        {
            "introduced": "0.2.37"
        },
        {
            "last_affected": "0.2.37"
        },
        {
            "introduced": "0.2.38"
        },
        {
            "last_affected": "0.2.38"
        }
    ]
}

Affected versions

0.*
0.2.0
0.2.1
0.2.11
0.2.13
0.2.14
0.2.15
0.2.16
0.2.17
0.2.18
0.2.19
0.2.2
0.2.20
0.2.21
0.2.22
0.2.23
0.2.24
0.2.25
0.2.26
0.2.27
0.2.28
0.2.29
0.2.3
0.2.30
0.2.31
0.2.32
0.2.33
0.2.34
0.2.35
0.2.36
0.2.37
0.2.38
0.2.4
0.2.5
0.2.6
0.2.7
0.2.9
v0.*
v0.2.0
v0.2.1
v0.2.13
v0.2.14
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.19
v0.2.2
v0.2.21
v0.2.22
v0.2.23
v0.2.24
v0.2.25
v0.2.26
v0.2.27
v0.2.28
v0.2.3
v0.2.30
v0.2.31
v0.2.33
v0.2.34
v0.2.35
v0.2.36
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10691.json"