Description
A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the runCodeReviewTool function of src/tools/codeReview.ts in kleneway awesome-cursor-mpc-server. It allows an attacker to inject arbitrary shell commands by manipulating user input, leading to remote code execution. The flaw is classified as CWE‑74 (Command Injection) and CWE‑77 (Improper Neutralization of Special Elements used in an OS Command).

Affected Systems

The affected vendor is kleneway and the product is awesome‑cursor‑mpc‑server. All releases up to and including 2.0.1 are vulnerable when the runCodeReviewTool interface is exposed. No later releases or patches are available in the public record at the time of writing.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available implying no publicly reported exploitation behavior beyond the available exploit. The vulnerability is listed as not in KEV. The attack can be launched remotely by sending crafted input to the runCodeReviewTool endpoint. Exploitation semantics suggest that, if the server is reachable from the Internet, an attacker could execute arbitrary commands on the host. The risk is elevated by the fact that the exploit has been published and is likely usable.

Generated by OpenCVE AI on May 2, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed release of kleneway awesome‑cursor‑mpc‑server once an official patch is issued; if none is available, merge the code changes from pull request #14 that addresses the injection.
  • If an upgrade is not feasible, limit exposure by placing the service behind a firewall or by restricting the runCodeReviewTool endpoint to a trusted internal network or specific IP addresses.
  • Implement local input validation for runCodeReviewTool by sanitizing all arguments and rejecting anomalous data until a reliable vendor fix is released.

Generated by OpenCVE AI on May 2, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Title kleneway awesome-cursor-mpc-server Ccode-Review Tool codeReview.ts runCodeReviewTool command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T13:00:15.327Z

Reserved: 2026-05-01T14:24:56.185Z

Link: CVE-2026-7629

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T14:16:17.990

Modified: 2026-05-02T14:16:17.990

Link: CVE-2026-7629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T14:45:44Z

Weaknesses