GHSA-gc8w-x73w-p4rh

Source

https://github.com/advisories/GHSA-gc8w-x73w-p4rh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gc8w-x73w-p4rh/GHSA-gc8w-x73w-p4rh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gc8w-x73w-p4rh

Aliases

CVE-2026-7600

Published

2026-05-02T03:31:13Z

Modified

2026-05-07T21:05:50.646155Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

yii2-mcp-server has a Command Injection Issue

Details

A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yiicommandhelp/yiiexecutecommand of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific

{
    "nvd_published_at": "2026-05-02T01:16:00Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T20:51:52Z"
}

References

Affected packages

npm / yii2-mcp-server

Package

Name: yii2-mcp-server; View open source insights on deps.dev
Purl: pkg:npm/yii2-mcp-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gc8w-x73w-p4rh/GHSA-gc8w-x73w-p4rh.json"