CVE-2026-5621

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Apr 06, 2026

Vendor unknown

Description

A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config_path results in os command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

https://github.com/wing3e/public_exp/issues/27
https://vuldb.com/submit/785591
https://vuldb.com/vuln/355411
https://vuldb.com/vuln/355411/cti