Description
Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling. A remote attacker can send crafted network requests to the network-accessible Jaaz application, causing attacker-controlled commands to be executed on the server. Successful exploitation results in arbitrary command execution within the context of the Jaaz service, potentially allowing full compromise of the affected system.
Published: 2026-04-15
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Jaaz 1.0.30 contains a flaw in its MCP STDIO command execution handling. An attacker can send crafted network requests to a network‑accessible Jaaz instance, causing the service to execute arbitrary commands supplied in the request. This permits remote code execution on the host running the Jaaz service, potentially leading to full system compromise. The weakness can be classified as a command injection or improper process creation flaw.

Affected Systems

The vulnerability impacts Jaaz 1.0.30 when the service is exposed to the network. No vendor supply details are shown, but the flaw exists only in the specific version mentioned and requires that the Jaaz service be reachable over a network.

Risk and Exploitability

EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 7.3, indicating a high severity, but the description indicates an unauthenticated, network‑based remote code execution with high impact on confidentiality, integrity, and availability. Because the flaw is reachable over the network without authentication, the risk is considered high and exploitation is likely if the service is exposed to untrusted users.

Generated by OpenCVE AI on April 15, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jaaz to a patched version that fixes the MCP STDIO handling flaw.
  • Restrict network access to the Jaaz service by applying firewalls or host‑based controls to limit exposure to trusted IP ranges until a fix is available.
  • Follow any vendor‑issued configuration advice to disable or tightly isolate the MCP STDIO feature until a patch is released.

Generated by OpenCVE AI on April 15, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title Remote Command Execution via MCP STDIO in Jaaz 1.0.30

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Jaaz
Jaaz jaaz
Vendors & Products Jaaz
Jaaz jaaz

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling. A remote attacker can send crafted network requests to the network-accessible Jaaz application, causing attacker-controlled commands to be executed on the server. Successful exploitation results in arbitrary command execution within the context of the Jaaz service, potentially allowing full compromise of the affected system.
References

Subscriptions

Jaaz Jaaz
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T17:56:48.614Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30616

cve-icon Vulnrichment

Updated: 2026-04-15T17:56:44.862Z

cve-icon NVD

Status : Received

Published: 2026-04-15T16:16:36.293

Modified: 2026-04-15T18:16:59.747

Link: CVE-2026-30616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses