CVE-2026-7400
geekgod382 filesystem-mcp-server read_file_tool/write_file_tool server.py is_path_allowed path traversal
Vexday Risk Score
33Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
Madurez del exploit
Prueba de concepto
Existe prueba de concepto pública, pero aún no automatizada.
CVSS 6.9EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Ciclo de vida
29 abr 2026Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Productos afectados
geekgod382 · filesystem-mcp-serverPoCs públicas encontradas — 1
cve_referencegithub.com/geekgod382/filesystem-mcp-server/issues/1no verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
Referencias
https://github.com/geekgod382/filesystem-mcp-server/https://github.com/geekgod382/filesystem-mcp-server/commit/45364545fc60dc80aadcd4379f08042d3d3d292ehttps://github.com/geekgod382/filesystem-mcp-server/issues/1https://github.com/geekgod382/filesystem-mcp-server/releases/tag/v1.1.0https://vuldb.com/submit/803495https://vuldb.com/vuln/360123https://vuldb.com/vuln/360123/cti