CVE-2026-5528 - Vulnerability Details

- MoussaabBadla code-screenshot-mcp HTTP os command injection

Description

A security vulnerability has been detected in MoussaabBadla code-screenshot-mcp up to 0.1.0. This affects an unknown part of the component HTTP Interface. Such manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in MoussaabBadla’s code-screenshot-mcp HTTP interface allows an attacker to inject operating‑system commands via crafted requests, giving the attacker the ability to run arbitrary commands on the host. This results in a compromise of confidentiality, integrity, and availability, as the attacker can execute any shell command with the privileges of the running service.

Affected Systems

The vulnerability affects all releases of MoussaabBadla code-screenshot-mcp up to and including version 0.1.0. The precise component within the HTTP interface that is impacted is not specified, but any instance of the application exposed to untrusted traffic is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, but the public disclosure of an exploit and the lack of a vendor response increase the risk. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable interface remotely via HTTP, making the vector network‑based. Without a patch, the risk remains high, and the attack remains feasible as demonstrated by publicly available proof‑of‑concept code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MoussaabBadla

code-screenshot-mcp

affected

Version	Status	Constraints
`0.1.0`	affected	—

No data.

Vendor Product Confidence Versions

Moussaabbadla

Code-screenshot-mcp

100%

Version	Status	Scheme	Platform
`0.1.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for an updated release of code-screenshot-mcp that contains a fix and upgrade if available.
If no fix exists, block access to the vulnerable HTTP endpoint from all but trusted networks using firewall or routing rules.
Deploy a web application firewall or input validation layer to detect and block malformed command injection payloads.
Enable detailed logs on the HTTP interface and monitor for suspicious or unexpected command execution activity.

Generated by OpenCVE AI on April 5, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00339.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/wing3e/public_exp/issues/23
https://vuldb.com/submit/782064
https://vuldb.com/vuln/355281
https://vuldb.com/vuln/355281/cti

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moussaabbadla Moussaabbadla code-screenshot-mcp
Vendors & Products		Moussaabbadla Moussaabbadla code-screenshot-mcp

Mon, 06 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 04 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in MoussaabBadla code-screenshot-mcp up to 0.1.0. This affects an unknown part of the component HTTP Interface. Such manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		MoussaabBadla code-screenshot-mcp HTTP os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/wing3e/public_exp/issues/23 https://vuldb.com/submit/782064 https://vuldb.com/vuln/355281 https://vuldb.com/vuln/355281/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Moussaabbadla Code-screenshot-mcp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-04T23:30:14.629Z

Updated: 2026-04-06T16:39:10.209Z

Reserved: 2026-04-04T06:24:19.838Z

Link: CVE-2026-5528

Vulnrichment

Updated: 2026-04-06T16:39:06.807Z

NVD

Status : Deferred

Published: 2026-04-05T00:16:04.157

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-5528

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:57:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object