Description
A vulnerability was determined in lharries whatsapp-mcp 0.0.1. Affected by this vulnerability is the function SendMessageRequest of the file whatsapp-bridge/main.go of the component Send API Endpoint. This manipulation of the argument mediaPath causes path traversal. The exploit has been publicly disclosed and may be utilized. Patch name: 6657cdceadd361e8fbe824afe9d00b4504009a5d. It is recommended to apply a patch to fix this issue.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the SendMessageRequest routine of the Send API endpoint in whatsapp-mcp 0.0.1. The vulnerability is triggered by supplying a specially crafted mediaPath argument, which allows the attacker to dereference directories outside the intended media storage location. As a result, an unauthenticated user could read, download, or potentially modify arbitrary files on the server filesystem. This compromise impacts confidentiality and could lead to denial of service or further exploitation if executable files are accessed. The weakness is classified as CWE‑22, reflecting improper validation of path components.

Affected Systems

The affected system is the LHarries‑mcp 0.0.1 component. No other versions are listed in the CNA data. Organizations running this exact version of the open‑source project must assess their deployment for exposure to the Send API endpoint.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA KEV. The publicly disclosed exploit suggests that the flaw can be used by an attacker who can send requests to the Send API endpoint, implying a remote, network‑based attack vector, though the description does not explicitly state authentication requirements, so the impact may be limited to unauthenticated or authenticated API users. Given the lack of a high base score but public exploitation, operators should consider the risk of unauthorized file access in their threat models.

Generated by OpenCVE AI on June 1, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit 6657cdceadd361e8fbe824afe9d00b4504009a5d to whatsapp‑mcp 0.0.1.
  • Ensure that mediaPath inputs are validated or sanitized to reject any path traversal sequences such as ".." or absolute paths before processing.
  • Disable or restrict access to the Send API endpoint if it is not required for business operations, or enforce strict authentication and permission controls to limit exposure.

Generated by OpenCVE AI on June 1, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in lharries whatsapp-mcp 0.0.1. Affected by this vulnerability is the function SendMessageRequest of the file whatsapp-bridge/main.go of the component Send API Endpoint. This manipulation of the argument mediaPath causes path traversal. The exploit has been publicly disclosed and may be utilized. Patch name: 6657cdceadd361e8fbe824afe9d00b4504009a5d. It is recommended to apply a patch to fix this issue.
Title lharries whatsapp-mcp Send API Endpoint main.go SendMessageRequest path traversal
First Time appeared Lharries
Lharries whatsapp-mcp
Weaknesses CWE-22
CPEs cpe:2.3:a:lharries:whatsapp-mcp:*:*:*:*:*:*:*:*
Vendors & Products Lharries
Lharries whatsapp-mcp
References
Metrics cvssV2_0

{'score': 2.7, 'vector': 'AV:A/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lharries Whatsapp-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T14:46:27.835Z

Reserved: 2026-05-31T12:51:28.835Z

Link: CVE-2026-10264

cve-icon Vulnrichment

Updated: 2026-06-03T14:43:25.729Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:32.830

Modified: 2026-06-01T16:41:55.090

Link: CVE-2026-10264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:32Z

Weaknesses