Description
A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in ArtMin96 yii2-mcp-server 1.0.2 allows an attacker to inject operating system commands via the yii_execute_command endpoint in src/index.ts, resulting in remote command execution. The flaw arises from insufficient input validation and is identified as CWE-77 and CWE-78, enabling an attacker to run arbitrary system commands with the privileges of the web process.

Affected Systems

Affected is the ArtMin96 yii2-mcp-server component, version 1.0.2. No other versions are explicitly listed, but the flaw is localized to the yii_command_help/yii_execute_command function in this release.

Risk and Exploitability

The CVSS score is 5.3, indicating a medium severity. EPSS is not available, which does not confirm current exploitation probability but the presence of a published exploit suggests it could be exploited. The vulnerability is not listed in the CISA KEV catalog. An attacker can reach the target remotely, sending crafted input to the MCP interface to trigger command execution.

Generated by OpenCVE AI on May 2, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched or newer version of yii2-mcp-server once the vendor releases a fix.
  • Restrict network access to the MCP interface so that only trusted networks or hosts can reach it.
  • Add input validation or sanitization to the yii_execute_command handler to filter out shell metacharacters.

Generated by OpenCVE AI on May 2, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T00:15:11.779Z

Reserved: 2026-05-01T10:49:33.137Z

Link: CVE-2026-7600

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T01:16:00.903

Modified: 2026-05-02T01:16:00.903

Link: CVE-2026-7600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses