Description
A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path‑traversal flaw exists in the get_best_practices endpoint of the ggerve coding‑standards‑mcp server. By manipulating the Language argument, an attacker can traverse directories and read arbitrary files on the host. The vulnerability can be exercised remotely via a crafted HTTP request, potentially exposing sensitive configuration or source code and compromising confidentiality of the system.

Affected Systems

The vulnerable component is the ggerve coding‑standards‑mcp application. Because the project deploys rolling releases, no specific affected version numbers are available, and the vendor has not yet published a fixed release.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed from any network location that can reach the vulnerable endpoint, and the exploit has already been made public. Given the lack of an immediate fix and the remote nature of the attack, the overall risk is significant until an official patch is deployed or mitigated.

Generated by OpenCVE AI on May 2, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Wait for and install an official patch from ggerve as soon as it becomes available.
  • Sanitize or validate the Language parameter on the server side; restrict it to a predefined whitelist of legitimate values to prevent directory traversal.
  • Use network controls such as firewall rules or reverse proxy limits to restrict access to the vulnerable endpoint or to block suspicious request patterns.

Generated by OpenCVE AI on May 2, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title ggerve coding-standards-mcp server.py get_best_practices path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T18:14:53.475Z

Reserved: 2026-05-01T09:30:07.048Z

Link: CVE-2026-7588

cve-icon Vulnrichment

Updated: 2026-05-01T18:14:41.640Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T18:16:16.300

Modified: 2026-05-01T20:21:53.960

Link: CVE-2026-7588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses