CVE-2026-4496 (GCVE-0-2026-4496)
Vulnerability from cvelistv5 – Published: 2026-03-20 18:32 – Updated: 2026-03-25 13:59
VLAI
Title
sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
Summary
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.352045 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.352045 | signaturepermissions-required |
| https://vuldb.com/?submit.773796 | third-party-advisory |
| https://github.com/sigmade/Git-MCP-Server/issues/1 | issue-tracking |
| https://github.com/user-attachments/files/2485574… | exploit |
| https://github.com/sigmade/Git-MCP-Server/pull/2 | issue-trackingpatch |
| https://github.com/sigmade/Git-MCP-Server/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sigmade | Git-MCP-Server |
Affected:
785aa159f262a02d5791a5d8a8e13c507ac42880
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4496",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:58:53.941904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:59:02.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"show_merge_diff/quick_merge_summary/show_file_diff"
],
"product": "Git-MCP-Server",
"vendor": "sigmade",
"versions": [
{
"status": "affected",
"version": "785aa159f262a02d5791a5d8a8e13c507ac42880"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yinci Chen (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:32:13.041Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352045 | sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.352045"
},
{
"name": "VDB-352045 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352045"
},
{
"name": "Submit #773796 | sigmade Git-MCP-Server \u003c=1.0.0 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.773796"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/sigmade/Git-MCP-Server/issues/1"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/sigmade/Git-MCP-Server/pull/2"
},
{
"tags": [
"product"
],
"url": "https://github.com/sigmade/Git-MCP-Server/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-20T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-20T10:21:37.000Z",
"value": "VulDB entry last update"
}
],
"title": "sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4496",
"datePublished": "2026-03-20T18:32:13.041Z",
"dateReserved": "2026-03-20T09:15:25.741Z",
"dateUpdated": "2026-03-25T13:59:02.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-4496",
"date": "2026-06-17",
"epss": "0.00697",
"percentile": "0.48128"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-4496\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2026-03-20T19:16:20.310\",\"lastModified\":\"2026-04-29T01:00:01.613\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en sigmade Git-MCP-Server hasta 785aa159f262a02d5791a5d8a8e13c507ac42880. Afectada por esta vulnerabilidad es la funci\u00f3n child_process.exec del archivo src/gitUtils.ts del componente show_merge_diff/quick_merge_summary/show_file_diff. La manipulaci\u00f3n resulta en una inyecci\u00f3n de comandos del sistema operativo. El ataque debe iniciarse desde una posici\u00f3n local. El exploit se ha hecho p\u00fablico y podr\u00eda ser utilizado. Este producto opera bajo un modelo de lanzamiento continuo, asegurando la entrega continua. En consecuencia, no hay detalles de versi\u00f3n ni para las versiones afectadas ni para las actualizadas. Es aconsejable implementar un parche para corregir este problema. Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":1.9,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":4.3,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.1,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/sigmade/Git-MCP-Server/\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/sigmade/Git-MCP-Server/issues/1\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/sigmade/Git-MCP-Server/pull/2\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.352045\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.352045\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.773796\",\"source\":\"cna@vuldb.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4496\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T13:58:53.941904Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T13:58:58.624Z\"}}], \"cna\": {\"title\": \"sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Yinci Chen (VulDB User)\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"VulDB\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 4.3, \"vectorString\": \"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C\"}}], \"affected\": [{\"vendor\": \"sigmade\", \"modules\": [\"show_merge_diff/quick_merge_summary/show_file_diff\"], \"product\": \"Git-MCP-Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"785aa159f262a02d5791a5d8a8e13c507ac42880\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-20T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2026-03-20T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2026-03-20T10:21:37.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.352045\", \"name\": \"VDB-352045 | sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.352045\", \"name\": \"VDB-352045 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.773796\", \"name\": \"Submit #773796 | sigmade Git-MCP-Server \u003c=1.0.0 Command Injection\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/sigmade/Git-MCP-Server/issues/1\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/sigmade/Git-MCP-Server/pull/2\", \"tags\": [\"issue-tracking\", \"patch\"]}, {\"url\": \"https://github.com/sigmade/Git-MCP-Server/\", \"tags\": [\"product\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"OS Command Injection\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"Command Injection\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2026-03-20T18:32:13.041Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-4496\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T13:59:02.878Z\", \"dateReserved\": \"2026-03-20T09:15:25.741Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2026-03-20T18:32:13.041Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…