Description
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal vulnerability exists in the Upload function of florensiawidjaja BioinfoMCP. By manipulating the Name argument supplied to the upload endpoint, an attacker can store files outside the intended upload directory, potentially overwriting critical configuration files or placing malicious scripts. Because the flaw is remote and the upload endpoint is publicly reachable, this capability can be exercised without prior authentication.

Affected Systems

All installations of florensiawidjaja BioinfoMCP derived from the repository prior to the commit 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 are impacted. The project uses continuous delivery, so the exact version string is not tracked; any deployment that has not been patched or updated to a build that includes the fix is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, and the vulnerability has not been listed in CISA’s KEV catalog. Attackers can exploit this flaw remotely by sending a crafted HTTP request to the upload endpoint with a Name that contains directory traversal sequences. As no official patch has been released and exploitation is publicly documented, there is a risk that arbitrary files can be written to unintended locations, which may compromise the integrity of the system.

Generated by OpenCVE AI on April 30, 2026 at 13:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the upload endpoint to trusted users or disable public access.
  • Validate and sanitize the Name parameter to reject path traversal patterns before writing files.
  • Deploy a Web Application Firewall rule that blocks requests containing suspicious path segments during file uploads.
  • Check the vendor’s website or repository regularly for patch releases.
  • If feasible, disable the upload feature until a patch becomes available or replace the application with a version that has the fix.

Generated by OpenCVE AI on April 30, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Florensiawidjaja
Florensiawidjaja bioinfomcp
Vendors & Products Florensiawidjaja
Florensiawidjaja bioinfomcp

Wed, 29 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title florensiawidjaja BioinfoMCP Upload Endpoint app.py upload path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Florensiawidjaja Bioinfomcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T13:04:37.252Z

Reserved: 2026-04-29T11:18:27.321Z

Link: CVE-2026-7398

cve-icon Vulnrichment

Updated: 2026-04-30T13:04:32.342Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T19:16:26.317

Modified: 2026-04-29T21:16:21.590

Link: CVE-2026-7398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:00:22Z

Weaknesses