Description
A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.
Published: 2026-04-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote attacker can inject arbitrary operating‑system commands by submitting a malicious ID value to the create_rule function of the MCP Interface. The function passes the argument directly to the underlying OS without sanitization, allowing execution of code with the privileges of the service process. Because the API is reachable from outside the host, an attacker can trigger the flaw without local access.

Affected Systems

The vulnerability affects VetCoders mcp-server-semgrep, version 1.0.0. Released fixes are available in version 1.0.1 and later, which incorporate commit 141335da044e53c3f5b315e0386e01238405b771. Any environment running the unpatched component is susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability with remote code execution potential. The EPSS score is not available, and the flaw is not listed in CISA KEV, but public exploit code exists, signaling a realistic threat vector. Attackers could exploit the exposed API from the internet or internal network, executing arbitrary commands that may jeopardize system confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 30, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VetCoders mcp-server-semgrep to version 1.0.1 or later, ensuring that the commit 141335da044e53c3f5b315e0386e01238405b771 is incorporated.
  • If an immediate upgrade is not possible, isolate the component behind a firewall or otherwise limit exposure of the API that accepts the ID parameter, restricting access to trusted users only.
  • As an interim measure, apply input validation to the ID parameter—enforce an alphanumeric whitelist or length constraints and escape or sanitize the value before passing it to the operating system, mitigating the injection risk until the patch is deployed.

Generated by OpenCVE AI on April 30, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Vetcoders
Vetcoders mcp-server-semgrep
Vendors & Products Vetcoders
Vetcoders mcp-server-semgrep

Thu, 30 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.
Title VetCoders mcp-server-semgrep MCP index.ts create_rule os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vetcoders Mcp-server-semgrep
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T12:26:55.487Z

Reserved: 2026-04-29T16:57:29.242Z

Link: CVE-2026-7446

cve-icon Vulnrichment

Updated: 2026-04-30T12:26:51.941Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T00:16:23.943

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-7446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:20:20Z

Weaknesses