CVE-2026-15749

Source
https://cve.org/CVERecord?id=CVE-2026-15749
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15749.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15749
Published
2026-07-14T21:00:10.293Z
Modified
2026-07-17T03:41:56.963056600Z
Severity
  • 1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
mastergo-design mastergo-magic-mcp mcp__C2d get-c2d.ts execute path traversal
Details

A security flaw has been discovered in mastergo-design mastergo-magic-mcp up to 0.2.0. This issue affects the function execute of the file src/tools/get-c2d.ts of the component mcp__C2d. Performing a manipulation of the argument filePath results in path traversal. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15749.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/mastergo-design/mastergo-magic-mcp

Affected ranges

Type
GIT
Repo
https://github.com/mastergo-design/mastergo-magic-mcp
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.1"
        },
        {
            "last_affected": "0.1"
        },
        {
            "introduced": "0.2.0"
        },
        {
            "last_affected": "0.2.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.1
0.2.0
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.4
v0.1.5
v0.1.6
v0.1.6-beta.0
v0.1.6-beta.1
v0.1.6-beta.2
v0.1.6-beta.3
v0.1.6-beta.4
v0.1.7
v0.1.7-beta.0
v0.1.8
v0.1.9-alpha.0
v0.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15749.json"