Description
A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in ArtMin96 yii2-mcp-server 1.0.2 allows an attacker to inject operating system commands via the yii_execute_command endpoint in src/index.ts, resulting in remote command execution. The flaw arises from insufficient input validation and is identified as CWE-77 and CWE-78, enabling an attacker to run arbitrary system commands with the privileges of the web process.

Affected Systems

Affected is the ArtMin96 yii2-mcp-server component, version 1.0.2. No other versions are explicitly listed, but the flaw is localized to the yii_command_help/yii_execute_command function in this release.

Risk and Exploitability

The CVSS score is 5.3, indicating a medium severity. EPSS is not available, which does not confirm current exploitation probability but the presence of a published exploit suggests it could be exploited. The vulnerability is not listed in the CISA KEV catalog. An attacker can reach the target remotely, sending crafted input to the MCP interface to trigger command execution.

Generated by OpenCVE AI on May 2, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched or newer version of yii2-mcp-server once the vendor releases a fix.
  • Restrict network access to the MCP interface so that only trusted networks or hosts can reach it.
  • Add input validation or sanitization to the yii_execute_command handler to filter out shell metacharacters.

Generated by OpenCVE AI on May 2, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc8w-x73w-p4rh yii2-mcp-server has a Command Injection Issue
History

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Artmin96
Artmin96 yii2-mcp-server
Vendors & Products Artmin96
Artmin96 yii2-mcp-server

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Artmin96 Yii2-mcp-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T17:10:12.377Z

Reserved: 2026-05-01T10:49:33.137Z

Link: CVE-2026-7600

cve-icon Vulnrichment

Updated: 2026-05-04T17:10:08.983Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T01:16:00.903

Modified: 2026-05-05T19:17:22.860

Link: CVE-2026-7600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:07:12Z

Weaknesses