Description
A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal in the export_state function of src/consciousness-explorer/mcp/server.js. An attacker can supply a crafted file path and read or modify arbitrary files on the server, exposing sensitive data and potentially enabling further attacks. This flaw is a local file access issue (CWE-22) that can compromise confidentiality and integrity of the system.

Affected Systems

Affected software is ruvnet sublinear-time-solver version 1.5.0, specifically the MCP Interface component. Only this version is listed; no newer versions with a fix are known.

Risk and Exploitability

The CVSS score is 6.9, indicating medium‑high risk. No EPSS data and the vulnerability is not listed in CISA KEV. A proof‑of‑concept exploit is publicly available, and the attack can be carried out remotely via the exported endpoint. The lack of vendor response raises the likelihood that the vulnerability could be actively used in the wild.

Generated by OpenCVE AI on May 2, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to the export_state endpoint to trusted users or internal networks, removing external exposure when possible.
  • Implement strict input validation to reject directory traversal sequences and only allow whitelisted filenames.
  • Monitor web server logs for unusual file requests and use intrusion detection systems to detect traversal attempts.
  • Once the vendor releases a patched version, upgrade immediately.
  • If the export_state feature is not essential, disable or remove it to eliminate the attack surface.

Generated by OpenCVE AI on May 2, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc2j-wpjv-jhrw sublinear-time-solver has a Path Traversal Issue
History

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruvnet
Ruvnet sublinear-time-solver
Vendors & Products Ruvnet
Ruvnet sublinear-time-solver

Sat, 02 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title ruvnet sublinear-time-solver MCP server.js export_state path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ruvnet Sublinear-time-solver
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T17:51:20.933Z

Reserved: 2026-05-01T16:35:55.927Z

Link: CVE-2026-7645

cve-icon Vulnrichment

Updated: 2026-05-04T16:20:10.333Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T16:16:15.867

Modified: 2026-05-05T19:15:06.200

Link: CVE-2026-7645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:06:47Z

Weaknesses