Description
A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Workaround
AI Analysis

Impact

The vulnerability arises in the eqn_chart function of the fermat‑mcp package, where an attacker can supply a crafted equations argument that causes the application to inject and execute arbitrary code. This code injection flaw is the sole weakness reported, and the CVSS score of 5.3 indicates a moderate severity. Because the exploit is publicly available and can be triggered remotely without authentication, the impact is the ability to run arbitrary commands on the system hosting the service.

Affected Systems

The affected product is abhiphile’s fermat‑mcp, encompassing all releases prior to the commit 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. The project follows a rolling‑release model and does not publish explicit version numbers for affected or patched releases, so any instance of the current code base may be vulnerable.

Risk and Exploitability

The EPSS score of less than 1 % indicates that exploitation is currently considered unlikely, yet the vulnerability is publicly documented and an exploit is available, raising the risk for systems still running the vulnerable code. The attack vector is remote, occurring through the EQN_CHART API endpoint, and does not require authentication. As the product lacks a published fix, the only mitigation remains to stop using the vulnerable module or to explicitly shield the endpoint.

Generated by OpenCVE AI on April 18, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an update from abhiphile that contains a fix; if unavailable, use a workaround or restrict access to the eqn_chart endpoint.
  • If an upgrade is not immediately possible, restrict network access to the eqn_chart endpoint to trusted internal hosts only and enforce strict input validation that permits only a defined set of numeric operations and symbols.
  • Apply a runtime sandbox or container isolation to the application so that any unexpected code execution is contained and cannot affect the host system.

Generated by OpenCVE AI on April 18, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Abhiphile fermat
CPEs cpe:2.3:a:abhiphile:fermat:*:*:*:*:*:*:*:*
Vendors & Products Abhiphile fermat

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Abhiphile
Abhiphile fermat-mcp
Vendors & Products Abhiphile
Abhiphile fermat-mcp

Fri, 06 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title abhiphile fermat-mcp eqn_chart.py eqn_chart code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Abhiphile Fermat Fermat-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:22:27.168Z

Reserved: 2026-02-05T19:19:33.938Z

Link: CVE-2026-2008

cve-icon Vulnrichment

Updated: 2026-02-12T15:06:54.486Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T07:16:13.447

Modified: 2026-02-17T19:12:42.487

Link: CVE-2026-2008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses