Description
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-20
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local OS Command Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs in the child_process.exec call within the gitUtils.ts file. Unvalidated input enables an attacker to execute arbitrary commands on the host, potentially leading to full compromise of the system. This matches known weaknesses CWE-77 and CWE-78.

Affected Systems

The affected product is Sigmade Git-MCP-Server version up to commit 785aa159f262a02d5791a5d8a8e13c507ac42880. Because the project follows a rolling release model, no fixed release is documented and the vulnerability exists in all prior commits until a patch is applied.

Risk and Exploitability

The CVSS score is 4.8 indicating moderate severity, and the vulnerability is not listed in KEV. Since the attack requires local access, the risk is confined to environments where an attacker can run code locally or gain local privileges. Nevertheless, the exploit code has been publicly released, and the vendor did not respond to disclosure, increasing the likelihood of exploitation.

Generated by OpenCVE AI on March 20, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑provided patch or update to a fixed release as soon as it becomes available.
  • Restrict local access to the Git‑MCP‑Server environment so that only trusted users can interact with the service.
  • If no patch is available, consider disabling the child_process.exec usage or rewriting that logic to avoid passing untrusted data to the shell.
  • Implement logging and monitoring to detect unexpected shell command execution within the application.
  • Assess the risk of current deployments and, if necessary, migrate to a different implementation or vendor that provides secure handling of command execution.

Generated by OpenCVE AI on March 20, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sigmade
Sigmade git-mcp-server
Vendors & Products Sigmade
Sigmade git-mcp-server

Fri, 20 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Title sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sigmade Git-mcp-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T13:59:02.878Z

Reserved: 2026-03-20T09:15:25.741Z

Link: CVE-2026-4496

cve-icon Vulnrichment

Updated: 2026-03-25T13:58:58.624Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T19:16:20.310

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:55Z

Weaknesses