Search criteria
1 vulnerability by idachev
CVE-2026-5802 (GCVE-0-2026-5802)
Vulnerability from cvelistv5 – Published: 2026-04-08 20:00 – Updated: 2026-04-10 20:47
VLAI
Title
idachev mcp-javadc HTTP os command injection
Summary
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/356241 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/356241/cti | signaturepermissions-required |
| https://vuldb.com/submit/786974 | third-party-advisory |
| https://github.com/idachev/mcp-javadc/issues/7 | issue-tracking |
| https://github.com/BruceJqs/public_exp/issues/2 | exploitissue-tracking |
| https://github.com/idachev/mcp-javadc/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| idachev | mcp-javadc |
Affected:
1.2.0
Affected: 1.2.1 Affected: 1.2.2 Affected: 1.2.3 Affected: 1.2.4 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5802",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T20:46:37.536090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:47:03.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP Interface"
],
"product": "mcp-javadc",
"vendor": "idachev",
"versions": [
{
"status": "affected",
"version": "1.2.0"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.2.2"
},
{
"status": "affected",
"version": "1.2.3"
},
{
"status": "affected",
"version": "1.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BruceJin (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T20:00:24.876Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-356241 | idachev mcp-javadc HTTP os command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/356241"
},
{
"name": "VDB-356241 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/356241/cti"
},
{
"name": "Submit #786974 | idachev @idachev/mcp-javadc 1.2.4 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/786974"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/idachev/mcp-javadc/issues/7"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/BruceJqs/public_exp/issues/2"
},
{
"tags": [
"product"
],
"url": "https://github.com/idachev/mcp-javadc/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-08T16:34:37.000Z",
"value": "VulDB entry last update"
}
],
"title": "idachev mcp-javadc HTTP os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5802",
"datePublished": "2026-04-08T20:00:24.876Z",
"dateReserved": "2026-04-08T14:29:32.763Z",
"dateUpdated": "2026-04-10T20:47:03.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}