CVE-2026-7446

Source
https://cve.org/CVERecord?id=CVE-2026-7446
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7446.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7446
Aliases
Published
2026-04-30T00:00:20.595Z
Modified
2026-07-15T01:49:06.485100039Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
VetCoders mcp-server-semgrep MCP index.ts create_rule os command injection
Details

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyzeresults/filterresults/exportresults/compareresults/scandirectory/createrule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.

Database specific
{
    "cna_assigner": "VulDB",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.0.0"
                },
                {
                    "last_affected": "1.0.0"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-77",
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7446.json"
}
References

Affected packages

Git / github.com/vetcoders/mcp-server-semgrep

Affected ranges

Type
GIT
Repo
https://github.com/vetcoders/mcp-server-semgrep
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7446.json"