CVE-2026-5327 - Vulnerability Details

Description

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the handleGetDiskUsage function of fast‑filesystem‑mcp version 3.5.1 and earlier, allowing an attacker to inject arbitrary operating‑system commands through unsanitized input. This leads to remote command execution, compromising confidentiality, integrity, and availability. The weakness is a classic command injection identified by CWE‑74 and CWE‑77.

Affected Systems

Affected product: efforthye fast‑filesystem‑mcp, versions up to and including 3.5.1. Any installation using the handleGetDiskUsage endpoint in those releases is vulnerable. No impact on newer, unlisted versions is documented.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS score is available and the vulnerability is not in KEV, so widespread exploitation is not yet recorded. However, an exploit has been publicly released and the attack can be carried out remotely, making the risk significant for exposed installations. The likely attack vector is remote network interaction via the service that invokes handleGetDiskUsage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

efforthye

fast-filesystem-mcp

affected

Version	Status	Constraints
`3.5.0`	affected	—
`3.5.1`	affected	—

No data.

Vendor Product Confidence Versions

Efforthye

Fast-filesystem-mcp

95%

Version	Status	Scheme	Platform
`3.5.0`	affected	semver	—
`3.5.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Determine the current version of fast‑filesystem‑mcp you are running.
If the version is 3.5.1 or older, upgrade to the latest release with the fix.
If an upgrade is not possible immediately, restrict the service to localhost or limit inbound traffic to trusted hosts only.
Monitor system logs for abnormal command execution or unexpected process activity.

Generated by OpenCVE AI on April 2, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00924.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/efforthye/fast-filesystem-mcp/
https://github.com/efforthye/fast-filesystem-mcp/issues/15
https://github.com/user-attachments/files/25822878/fast-filesystem-mcp_bug.pdf
https://vuldb.com/submit/780776
https://vuldb.com/vuln/354658
https://vuldb.com/vuln/354658/cti

History

Thu, 02 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title		efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection
First Time appeared		Efforthye Efforthye fast-filesystem-mcp
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:a:efforthye:fast-filesystem-mcp::::::::
Vendors & Products		Efforthye Efforthye fast-filesystem-mcp
References		https://github.com/efforthye/fast-filesystem-mcp/ https://github.com/efforthye/fast-filesystem-mcp/issues/15 https://github.com/user-attachments/files/25822878/fast-filesystem-mcp_bug.pdf https://vuldb.com/submit/780776 https://vuldb.com/vuln/354658 https://vuldb.com/vuln/354658/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Efforthye Fast-filesystem-mcp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-02T11:45:11.124Z

Updated: 2026-04-02T13:23:04.196Z

Reserved: 2026-04-01T13:27:15.115Z

Link: CVE-2026-5327

Vulnrichment

Updated: 2026-04-02T13:22:56.281Z

NVD

Status : Received

Published: 2026-04-02T12:16:21.260

Modified: 2026-04-02T12:16:21.260

Link: CVE-2026-5327

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:21:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object