CVE-2026-7730 - Vulnerability Details

- privsim mcp-test-runner MCP index.ts child_process.spawn os command injection

Description

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

privsim mcp-test-runner 0.2.0 contains a flaw in the child_process.spawn call within src/index.ts that allows attackers to craft the command argument and achieve OS command injection. The vulnerability is a classic command injection (CWE‑77) with the potential to be exploited entirely remotely, enabling the execution of arbitrary shell commands on the host system. The impact includes full compromise of confidentiality, integrity, and availability of the affected host.

Affected Systems

The affected product is privsim's mcp-test-runner, version 0.2.0. No other versions or vendors are listed as impacted by the CVE.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The public availability of an exploit and the ability to launch the attack remotely raise the risk level. Attackers could gain control of the system if the host is exposed, especially if the mcp-test-runner service is reachable from untrusted networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

privsim

mcp-test-runner

affected

Version	Status	Constraints
`0.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Privsim

Mcp-test-runner

100%

Version	Status	Scheme	Platform
`0.2.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade privsim mcp-test-runner to a version that includes a fix for the command injection vulnerability as soon as it becomes available.
If an upgrade is not possible, reconfigure the application to disable or remove the child_process.spawn usage that accepts user-controlled input, or replace it with a safe alternative that does not invoke the shell.
Implement network segmentation or firewall rules to limit external access to the mcp-test-runner service, ensuring that only trusted hosts can interact with it.

Generated by OpenCVE AI on May 4, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00734.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/BruceJqs/public_exp/issues/37
https://github.com/privsim/mcp-test-runner/
https://github.com/privsim/mcp-test-runner/issues/24
https://vuldb.com/submit/807541
https://vuldb.com/vuln/360905
https://vuldb.com/vuln/360905/cti

History

Mon, 04 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Privsim Privsim mcp-test-runner
Vendors & Products		Privsim Privsim mcp-test-runner

Mon, 04 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 04 May 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title		privsim mcp-test-runner MCP index.ts child_process.spawn os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/BruceJqs/public_exp/issues/37 https://github.com/privsim/mcp-test-runner/ https://github.com/privsim/mcp-test-runner/issues/24 https://vuldb.com/submit/807541 https://vuldb.com/vuln/360905 https://vuldb.com/vuln/360905/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Privsim Mcp-test-runner

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-04T04:00:19.191Z

Updated: 2026-05-04T10:59:44.627Z

Reserved: 2026-05-03T16:05:50.191Z

Link: CVE-2026-7730

Vulnrichment

Updated: 2026-05-04T10:59:38.054Z

NVD

Status : Deferred

Published: 2026-05-04T05:16:01.340

Modified: 2026-05-04T15:18:40.077

Link: CVE-2026-7730

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T16:06:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object