CVE-2026-4199

EUVD-2026-12269

16.03.2026, 14:20

A vulnerability was identified in bazinga012 mcp_code_executor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available and might be used. It is best practice to apply a patch to resolve this issue. The project was informed of the problem early through an issue report but has not responded yet.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDB	CNA	5.3 MEDIUM				CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/bazinga012/mcp_code_executor/

https://github.com/bazinga012/mcp_code_executor/issues/17

https://github.com/bazinga012/mcp_code_executor/pull/18/commits/a94ec2fea318597646ba1c44d8e44eb1c9196d20

https://github.com/user-attachments/files/25931133/mcp_code_executor_security_advisory.pdf

https://vuldb.com/?ctiid.351111

https://vuldb.com/?id.351111

https://vuldb.com/?submit.770424