Description
A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Apply Patch
AI Analysis

Impact

A command injection flaw has been identified in the search_username function of mcp-maigret’s src/index.ts. The vulnerability allows an attacker to inject arbitrary shell commands through the Username argument, which is then passed to the system shell without proper validation. This corresponds to CWE-74 and CWE-77 weaknesses. If exploited, the attacker can run arbitrary commands on the host, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The flaw exists in all releases of BurtTheCoder’s mcp-maigret up to and including version 1.0.12. Version 1.0.13 incorporates a fix that removes the unsafe command execution path. The component affected is the search_username feature within src/index.ts.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, presumably via requests to the search_username endpoint exposed by the application. The patch mitigates the risk by preventing the injection of malicious commands.

Generated by OpenCVE AI on April 18, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mcp-maigret to the patched release 1.0.13 or later.
  • Restrict access to the search_username endpoint so that only authenticated, authorized users can invoke it.
  • Implement or enforce input validation that sanitizes or rejects shell metacharacters before the value is passed to any shell execution context.

Generated by OpenCVE AI on April 18, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g7v-hghf-grg4 mcp-maigret vulnerable to command injection
History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Burtthecoder maigret Mcp Server
CPEs cpe:2.3:a:burtthecoder:maigret_mcp_server:*:*:*:*:*:*:*:*
Vendors & Products Burtthecoder maigret Mcp Server

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Burtthecoder
Burtthecoder mcp-maigret
Vendors & Products Burtthecoder
Burtthecoder mcp-maigret

Sun, 08 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised.
Title BurtTheCoder mcp-maigret search_username index.ts command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Burtthecoder Maigret Mcp Server Mcp-maigret
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:36:56.376Z

Reserved: 2026-02-06T20:49:51.310Z

Link: CVE-2026-2130

cve-icon Vulnrichment

Updated: 2026-02-10T19:44:47.982Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T03:15:46.330

Modified: 2026-03-05T20:19:06.917

Link: CVE-2026-2130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses