PYSEC-2026-2542

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/kaggle-mcp/PYSEC-2026-2542.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2542
Aliases
Published
2026-07-13T15:02:53.907402Z
Modified
2026-07-13T16:32:00.167325394Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
kaggle-mcp has a Path Traversal issue
Details

A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. This vulnerability affects the function preparekaggledataset of the file src/kagglemcp/server.py. The manipulation of the argument competitionid leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

References

Affected packages

PyPI / kaggle-mcp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.1.0

Affected versions

0.*
0.1.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/kaggle-mcp/PYSEC-2026-2542.yaml"