Description
A vulnerability was identified in eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py of the component Preview Endpoint. Such manipulation of the argument dev_script leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-01
Score: 6.9 Medium
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists within an unidentified function in branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py. By manipulating the dev_script argument, an attacker can inject arbitrary shell commands. Successful exploitation results in remote command execution with the same privileges as the web application process, potentially allowing data exfiltration, tampering, or further system compromise. The flaw is reported for commits up to 69bc71874ce40050ef45fde5a435855f18af3373, and no mitigation has been publicly released.

Affected Systems

The affected product is eyal‑gor's p_69_branch_monkey_mcp project distributed on GitHub. Because the repository does not use formal versioning, all revisions prior to the patched commit are considered vulnerable. No specific release numbers are documented, so any publicly deployed copy of the code up to the mentioned commit is at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is 1%, but the exploit is publicly reachable and may already be in use, making the threat tangible. Attackers only need to supply a crafted dev_script value via an HTTP request to gain code execution.

Generated by OpenCVE AI on May 2, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the codebase to a commit where the dev_script handling is rewritten to avoid direct shell execution, or remove the endpoint entirely if no fix is available.
  • Implement strict input validation for the dev_script parameter, allowing only a predefined set of safe commands and rejecting any input that contains shell metacharacters or suspicious patterns.
  • Restrict network exposure of the Preview Endpoint by limiting it to trusted IP ranges or internal networks, and optionally deploy an application firewall to filter malicious input.
  • Run the application with the least privileged user account to minimize damage in case command injection succeeds.

Generated by OpenCVE AI on May 2, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py of the component Preview Endpoint. Such manipulation of the argument dev_script leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title eyal-gor p_69_branch_monkey_mcp Preview Endpoint advanced.py os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T21:31:33.190Z

Reserved: 2026-05-01T09:35:46.059Z

Link: CVE-2026-7590

cve-icon Vulnrichment

Updated: 2026-05-01T21:31:24.606Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T19:16:33.603

Modified: 2026-05-01T20:21:53.960

Link: CVE-2026-7590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T14:45:44Z

Weaknesses