GHSA-q882-jc55-6343

Source

https://github.com/advisories/GHSA-q882-jc55-6343

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q882-jc55-6343/GHSA-q882-jc55-6343.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q882-jc55-6343

Aliases

CVE-2026-7149

Published

2026-04-27T21:31:02Z

Modified

2026-05-06T18:49:57.081793Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

kaggle-mcp has a Path Traversal issue

Details

A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. This vulnerability affects the function preparekaggledataset of the file src/kagglemcp/server.py. The manipulation of the argument competitionid leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T18:36:42Z",
    "nvd_published_at": "2026-04-27T19:16:54Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / kaggle-mcp

Package

Name: kaggle-mcp; View open source insights on deps.dev
Purl: pkg:pypi/kaggle-mcp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.1.0

Affected versions

0.*

0.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q882-jc55-6343/GHSA-q882-jc55-6343.json"