Description
A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read_file/write_file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Path traversal in the read_file/write_file function of ishayoyo excel-mcp enables remote attackers to specify arbitrary file paths for reading or writing. This flaw permits disclosure of sensitive files or alteration of critical configuration data, threatening confidentiality and integrity. The weakness is classified as CWE-22.

Affected Systems

The vulnerability affects only the ishayoyo excel-mcp component versions 1.0.2 and earlier. Any installation of this open-source library in that version range is exposed.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity. EPSS data is unavailable, and the issue is not listed in CISA KEV, but the exploit has been publicly disclosed and can be performed remotely via the exposed function. Systems that expose the read_file/write_file interface to external clients are at risk until a vendor fix is applied.

Generated by OpenCVE AI on June 1, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest, non‑vulnerable version of excel‑mcp as soon as a patch is released.
  • If upgrading is delayed, limit the component’s API to trusted users or an internal network and block public access to the vulnerable function.
  • Implement strict path validation: reject any filePath or outputPath that contains ".." or absolute path indicators, allowing only whitelisted directories.

Generated by OpenCVE AI on June 1, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read_file/write_file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Title ishayoyo excel-mcp read_file/write_file index.ts path traversal
First Time appeared Ishayoyo
Ishayoyo excel-mcp
Weaknesses CWE-22
CPEs cpe:2.3:a:ishayoyo:excel-mcp:*:*:*:*:*:*:*:*
Vendors & Products Ishayoyo
Ishayoyo excel-mcp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ishayoyo Excel-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T12:46:47.580Z

Reserved: 2026-05-31T16:10:40.911Z

Link: CVE-2026-10278

cve-icon Vulnrichment

Updated: 2026-06-02T12:46:41.382Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T19:16:20.440

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')