CVE-2026-7039

HIGH EPSS 46.6%

Published Apr 26, 20262mo ago · Modified Jun 17, 20261w ago

7.1 CVSS 4.0

High

Published Apr 26, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

Base Score

7.1

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

46.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-74

CWE-77 Command Injection Injection

References 5

github.com https://github.com/tufantunc/ssh-mcp/
github.com https://github.com/tufantunc/ssh-mcp/issues/44
vuldb.com https://vuldb.com/submit/798528
vuldb.com https://vuldb.com/vuln/359619
vuldb.com https://vuldb.com/vuln/359619/cti

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.