Description
A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the dxtController.ts component of huangjunsen0406's xiaozhi-mcphub up to version 1.0.3, where an attacker can manipulate the manifest.name parameter to access files outside the intended directory, allowing viewing or potentially modifying sensitive files on the server and compromising confidentiality and integrity. The vulnerability is triggered by supplying crafted input during remote operations.

Affected Systems

The affected product is the xiaozhi-mcphub project maintained by huangjunsen0406. Versions up to and including 1.0.3 contain the flaw; earlier releases are not specified, and newer releases have not been confirmed patched. Users must check the repository for an updated release or apply the suggested mitigations.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score is unavailable but a public exploit demonstrates that the flaw can be abused. The vulnerability is not listed in CISA KEV. Attackers likely exploit it remotely by sending crafted requests to the dxtController endpoint, and because no mitigation is in place, the path traversal can result in local file disclosure or modification, raising risk for deployments exposed to the internet.

Generated by OpenCVE AI on May 8, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of xiaozhi-mcphub newer than 1.0.3 once available.
  • If upgrading is not possible, sanitize the manifest.name input by resolving the requested path against a fixed base directory and rejecting any attempt to navigate outside that base.
  • Restrict the file permissions of the application to the minimal set required, preventing read or write access to directories containing sensitive files.

Generated by OpenCVE AI on May 8, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 23:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title huangjunsen0406 xiaozhi-mcphub dxtController.ts path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-07T23:30:11.843Z

Reserved: 2026-05-07T16:40:21.891Z

Link: CVE-2026-8116

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T00:16:09.833

Modified: 2026-05-08T00:16:09.833

Link: CVE-2026-8116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T00:30:25Z

Weaknesses