Description
A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the StdioClientTransport function of chatboxai chatbox up to version 1.20.0. An attacker who can influence the args or env parameters can inject operating‑system commands, leading to arbitrary code execution on the host running the chatbox server. The weakness is a classic OS command injection identified by CWE‑77 and CWE‑78, allowing the attacker to run any command with the privileges of the process and thereby jeopardize confidentiality, integrity, and availability.

Affected Systems

Affected systems are installations of chatboxai chatbox that utilize the Model Context Protocol Server Management System built on StdioClientTransport. The vulnerability applies to all releases up to and including version 1.20.0; newer releases are not affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the exploit has been published for use. The attack can be launched remotely when the chatbox service is reachable over the network. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, but the public availability of the exploit and the lack of an immediate fix make the risk significant. Once a target is exposed, an attacker can execute arbitrary commands, potentially enabling pivoting or further compromise.

Generated by OpenCVE AI on April 12, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade chatbox to a version that resolves the command injection bug (check the vendor’s release notes for a patch or newer release).
  • If an update is not yet available, restrict network access to the chatbox service using firewalls or network segmentation to prevent remote exploitation.
  • If the product configuration permits, disable or sanitize the args and env parameters that the StdioClientTransport function accepts.
  • Continuously monitor system logs and security events for signs of unexpected command execution or unusual environment changes.
  • Coordinate with the chatboxai security team for guidance and report any remediation steps taken.

Generated by OpenCVE AI on April 12, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chatboxai
Chatboxai chatbox
Vendors & Products Chatboxai
Chatboxai chatbox

Sun, 12 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title chatboxai chatbox Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chatboxai Chatbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-12T22:00:22.045Z

Reserved: 2026-04-12T04:30:52.194Z

Link: CVE-2026-6130

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-12T22:16:09.360

Modified: 2026-04-12T22:16:09.360

Link: CVE-2026-6130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:58Z

Weaknesses