CVE-2026-13489

Source
https://cve.org/CVERecord?id=CVE-2026-13489
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13489.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13489
Published
2026-06-28T10:45:08.559Z
Modified
2026-07-15T01:49:06.254959289Z
Severity
  • 1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
78 xiaozhi-esp32 MCP Response mcp_server.cc ParseMessage improper synchronization
Details

A weakness has been identified in 78 xiaozhi-esp32 up to 2.2.6. Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler. This manipulation causes improper synchronization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

Database specific
{
    "cwe_ids": [
        "CWE-662"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13489.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "2.2.0"
                },
                {
                    "last_affected": "2.2.0"
                },
                {
                    "introduced": "2.2.1"
                },
                {
                    "last_affected": "2.2.1"
                },
                {
                    "introduced": "2.2.5"
                },
                {
                    "last_affected": "2.2.5"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/78/xiaozhi-esp32

Affected ranges

Type
GIT
Repo
https://github.com/78/xiaozhi-esp32
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.2.2"
        },
        {
            "last_affected": "2.2.2"
        },
        {
            "introduced": "2.2.3"
        },
        {
            "last_affected": "2.2.3"
        },
        {
            "introduced": "2.2.4"
        },
        {
            "last_affected": "2.2.4"
        },
        {
            "introduced": "2.2.6"
        },
        {
            "last_affected": "2.2.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2.*
2.2.2
2.2.3
2.2.4
2.2.6
v2.*
v2.2.2
v2.2.3
v2.2.4
v2.2.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13489.json"