Description
A security flaw has been discovered in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: 2.2% Low
KEV: No
Impact: Remote Command Injection
Action: Patch ASAP
AI Analysis

Impact

The vulnerability is a command injection flaw located in the launch_vmd_gui_tool function of the VMD Launch Handler. By manipulating the structure_file and trajectory_file arguments, an attacker can execute arbitrary shell commands on the host. The flaw is classified as CWE-74 and CWE-77. If exploited the attacker gains remote code execution privileges, potentially compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

It affects egtai gmx-vmd-mcp version 0.1.0 and earlier releases. No other versions are known to be impacted, and no additional vendor information is disclosed.

Risk and Exploitability

The CVSS score for this issue is 6.9, indicating a moderate severity. EPSS score is 1%, indicating a low but nonzero likelihood of exploitation. The exploit has been released publicly, suggesting a higher exploitation likelihood than the score alone implies. The vulnerability is not listed in CISA KEV. The attack vector is remote, relying on controlled input to the launch_vmd_gui_tool command.

Generated by OpenCVE AI on April 28, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest verified release of egtai gmx-vmd-mcp or apply the vendor‑released patch that corrects the argument parsing in launch_vmd_gui_tool.
  • Modify the application configuration to reject or sanitize values passed to structure_file and trajectory_file, limiting them to expected file paths or whitelisted patterns.
  • If the functionality is not required, disable or remove the launch_vmd_gui_tool interface from the deployment to eliminate the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Egtai
Egtai gmx-vmd-mcp
Vendors & Products Egtai
Egtai gmx-vmd-mcp

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title egtai gmx-vmd-mcp VMD Launch mcp_server.py launch_vmd_gui_tool command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Egtai Gmx-vmd-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T14:34:21.846Z

Reserved: 2026-04-27T15:18:46.228Z

Link: CVE-2026-7215

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T03:16:04.430

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses