Search criteria
1 vulnerability by dvladimirov
CVE-2026-7211 (GCVE-0-2026-7211)
Vulnerability from cvelistv5 – Published: 2026-04-28 01:00 – Updated: 2026-04-28 12:59
VLAI
Title
dvladimirov MCP Git Search API mcp_server.py GitSearchRequest command injection
Summary
A weakness has been identified in dvladimirov MCP up to 0.1.0. The impacted element is the function GitSearchRequest of the file mcp_server.py of the component Git Search API. Executing a manipulation of the argument repo_url/pattern can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359807 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359807/cti | signaturepermissions-required |
| https://vuldb.com/submit/802083 | third-party-advisory |
| https://github.com/dvladimirov/MCP/issues/2 | exploitissue-tracking |
| https://github.com/dvladimirov/MCP/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dvladimirov | MCP |
Affected:
0.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T12:58:58.564120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:59:08.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Git Search API"
],
"product": "MCP",
"vendor": "dvladimirov",
"versions": [
{
"status": "affected",
"version": "0.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "SmallW (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in dvladimirov MCP up to 0.1.0. The impacted element is the function GitSearchRequest of the file mcp_server.py of the component Git Search API. Executing a manipulation of the argument repo_url/pattern can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T01:00:20.741Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359807 | dvladimirov MCP Git Search API mcp_server.py GitSearchRequest command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359807"
},
{
"name": "VDB-359807 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359807/cti"
},
{
"name": "Submit #802083 | dvladimirov mcp 0.1.0 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/802083"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/dvladimirov/MCP/issues/2"
},
{
"tags": [
"product"
],
"url": "https://github.com/dvladimirov/MCP/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-27T17:06:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "dvladimirov MCP Git Search API mcp_server.py GitSearchRequest command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7211",
"datePublished": "2026-04-28T01:00:20.741Z",
"dateReserved": "2026-04-27T15:01:13.378Z",
"dateUpdated": "2026-04-28T12:59:08.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}