CVE-2026-7416 - Vulnerability Details

- PolarVista xcode-mcp-server MCP index.ts run_tests os command injection

Description

A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-29

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A command‑line injection flaw exists in the build_project/run_tests function of the PolarVista xcode‑mcp‑server 1.0.0 module. The vulnerability allows an attacker to manipulate the Request argument so that arbitrary OS commands are executed by the server process. This provides the attacker with full control over the affected host, enabling data theft, system compromise, or further lateral movement. The weakness is a classic OS command injection represented by CWE‑77 and CWE‑78.

Affected Systems

The affected product is PolarVista xcode‑mcp‑server 1.0.0. No other versions or vendors are listed. The server component provides a micro‑controller protocol interface and is typically deployed on macOS or Linux machines used in CI/CD or development pipelines.

Risk and Exploitability

The CVSS score of 6.9 categorises the flaw as moderate severity, but the public exploit raises the urgency of remediation. The EPSS score is currently not available, so the actual likelihood of exploitation cannot be quantified, but the availability of a public proof‑of‑concept suggests that attackers could readily target exposed instances. Because the server can be reached remotely and the exploit is straightforward, an adversary with network access can achieve remote code execution without requiring additional credentials. The vulnerability is not listed in the CISA KEV catalog, but the public disclosure implies that it has already been leveraged by malicious actors. As a result, organisations should treat this flaw as critical to operational security.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PolarVista

xcode-mcp-server

affected

Version	Status	Constraints
`1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Polarvista

Xcode-mcp-server

100%

Version	Status	Scheme	Platform
`1.0.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a vendor‑released patch to PolarVista xcode‑mcp‑server once available.
Restrict network exposure by placing the server behind a firewall or internal network boundary so that only trusted hosts can reach the build_project/run_tests endpoint.
Sanitise or validate the Request argument before it is passed to the operating system command executor, ensuring that only expected inputs are honoured and preventing arbitrary command execution.

Generated by OpenCVE AI on April 30, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00195.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/BruceJqs/public_exp/issues/19
https://github.com/PolarVista/Xcode-mcp-server/
https://github.com/PolarVista/Xcode-mcp-server/issues/4
https://vuldb.com/submit/803974
https://vuldb.com/vuln/360145
https://vuldb.com/vuln/360145/cti

History

Thu, 30 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Polarvista Polarvista xcode-mcp-server
Vendors & Products		Polarvista Polarvista xcode-mcp-server

Wed, 29 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		PolarVista xcode-mcp-server MCP index.ts run_tests os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/BruceJqs/public_exp/issues/19 https://github.com/PolarVista/Xcode-mcp-server/ https://github.com/PolarVista/Xcode-mcp-server/issues/4 https://vuldb.com/submit/803974 https://vuldb.com/vuln/360145 https://vuldb.com/vuln/360145/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Polarvista Xcode-mcp-server

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-29T21:30:15.256Z

Updated: 2026-04-30T15:21:56.484Z

Reserved: 2026-04-29T13:58:39.584Z

Link: CVE-2026-7416

Vulnrichment

Updated: 2026-04-30T13:17:54.520Z

NVD

Status : Deferred

Published: 2026-04-29T22:16:22.260

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-7416

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T08:20:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object