CVE-2026-5619 - Vulnerability Details

- Braffolk mcp-summarization-functions summarize_command mcp-server.ts os command injection

Description

A flaw has been found in Braffolk mcp-summarization-functions up to 0.1.5. This impacts an unknown function of the file src/server/mcp-server.ts of the component summarize_command. Executing a manipulation of the argument command can lead to os command injection. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-06

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Braffolk mcp-summarization-functions allows a local attacker to supply a crafted command to the summarize_command routine in src/server/mcp-server.ts, which is executed directly by the operating system. This results in a classic OS command injection, enabling the attacker to run arbitrary commands on the host machine. The vulnerability is present in all releases up to version 0.1.5 and was discovered in the command handling logic of the summarize_command feature. The exploit has been published and is likely usable against unpatched installations.

Affected Systems

Braffolk mcp-summarization-functions versions 0.1.5 and earlier are affected. The issue lies in the src/server/mcp-server.ts file within the summarize_command component. Any system that runs one of these vulnerable versions with local access to the component is at risk of exploitation.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score is not available, but the existence of a public exploit demonstrates that the flaw can be practically leveraged. The attack requires local access, so the threat primarily targets users who can physically or remotely access the host where the component runs. Because the vulnerability is not listed in the CISA KEV catalog, defenders must rely on their own monitoring and mitigation actions. If local access is compromised, an attacker could execute arbitrary system commands, potentially leading to full system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Braffolk

mcp-summarization-functions

affected

Version	Status	Constraints
`0.1.0`	affected	—
`0.1.1`	affected	—
`0.1.2`	affected	—
`0.1.3`	affected	—
`0.1.4`	affected	—
`0.1.5`	affected	—

No data.

Vendor Product Confidence Versions

Braffolk

Mcp-summarization-functions

100%

Version	Status	Scheme	Platform
`[0.1.0,0.1.5]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check Braffolk’s website or contact the vendor for a patch, and apply it to a version newer than 0.1.5 as soon as it becomes available.
If an update is not immediately available, disable or remove the summarize_command functionality to eliminate the injection point.
Limit local access by ensuring that only trusted users can execute the component, or run it in a sandboxed environment with restricted privileges.
Monitor logs for unusual command execution associated with the summarize_command routine.
Maintain awareness of any vendor communications and apply official guidance promptly.

Generated by OpenCVE AI on April 6, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00615.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/wing3e/public_exp/issues/26
https://vuldb.com/submit/785574
https://vuldb.com/vuln/355409
https://vuldb.com/vuln/355409/cti

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Braffolk Braffolk mcp-summarization-functions
Vendors & Products		Braffolk Braffolk mcp-summarization-functions

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in Braffolk mcp-summarization-functions up to 0.1.5. This impacts an unknown function of the file src/server/mcp-server.ts of the component summarize_command. Executing a manipulation of the argument command can lead to os command injection. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Braffolk mcp-summarization-functions summarize_command mcp-server.ts os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/wing3e/public_exp/issues/26 https://vuldb.com/submit/785574 https://vuldb.com/vuln/355409 https://vuldb.com/vuln/355409/cti
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Braffolk Mcp-summarization-functions

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-06T03:45:10.920Z

Updated: 2026-04-06T14:49:50.040Z

Reserved: 2026-04-05T15:57:42.639Z

Link: CVE-2026-5619

Vulnrichment

Updated: 2026-04-06T14:33:51.770Z

NVD

Status : Deferred

Published: 2026-04-06T05:16:01.590

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5619

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:47:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object