Description
A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jimeng MCP application in version 1.10.0 includes a path traversal flaw in the getFileContent, uploadCoverFile, generateImage, and generateVideo functions defined in src/api.ts. The flaw arises because the filePath argument is manipulated without proper validation, permitting an attacker to reference directories outside the intended scope. This remote flaw can lead to reading of arbitrary files, and in some configurations may allow overwriting of files, resulting in information disclosure or integrity compromise.

Affected Systems

The affected product is c‑rick's Jimeng MCP, version 1.10.0. Any installation running this exact version is vulnerable until a vendor‑issued fix is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, so the probability of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely, and because the flaw bypasses path restrictions, the risk can be significant if the application processes untrusted input.

Generated by OpenCVE AI on May 25, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a version of Jimeng MCP that corrects the path traversal issue.
  • If a fix is not yet released, restrict access to the API endpoints to authenticated users only and enforce strict validation to ensure filePath values remain within the expected directory hierarchy.
  • Implement monitoring and logging for attempts to access the affected endpoints, and review logs for anomalous or repeated path traversal patterns.

Generated by OpenCVE AI on May 25, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title c-rick jimeng-mcp api.ts generateVideo path traversal
First Time appeared C-rick
C-rick jimeng-mcp
Weaknesses CWE-22
CPEs cpe:2.3:a:c-rick:jimeng-mcp:*:*:*:*:*:*:*:*
Vendors & Products C-rick
C-rick jimeng-mcp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

C-rick Jimeng-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T16:15:10.476Z

Reserved: 2026-05-24T09:09:48.816Z

Link: CVE-2026-9473

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T17:30:06Z

Weaknesses