CVE-2026-6980

Divyanshu-hash GitPilot-MCP main.py repo_path command injection

CVSS 6.9 MEDIUMEPSS 1.7%CWE-74 CWE-77

Vexday Risk Score

33Atención

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 6.9EPSS 1.7%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Ciclo de vida

25 abr 2026Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Productos afectados

Divyanshu-hash · GitPilot-MCP

PoCs públicas encontradas — 1

cve_referencegithub.com/wing3e/public_exp/issues/38no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/wing3e/public_exp/issues/38 https://vuldb.com/submit/795502 https://vuldb.com/vuln/359523 https://vuldb.com/vuln/359523/cti