CVE-2026-10691

Summary

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.2.39 will fix this issue. The patch is named 4ce845f8749b6a159b57b38dcc3357f7222a8078. It is suggested to upgrade the affected component.

Affected Software

VendorProductVersion RangeStatus
wonderwhy-erDesktopCommanderMCP0.2.0affected
wonderwhy-erDesktopCommanderMCP0.2.1affected
wonderwhy-erDesktopCommanderMCP0.2.2affected
wonderwhy-erDesktopCommanderMCP0.2.3affected
wonderwhy-erDesktopCommanderMCP0.2.4affected
wonderwhy-erDesktopCommanderMCP0.2.5affected
wonderwhy-erDesktopCommanderMCP0.2.6affected
wonderwhy-erDesktopCommanderMCP0.2.7affected
wonderwhy-erDesktopCommanderMCP0.2.8affected
wonderwhy-erDesktopCommanderMCP0.2.9affected
wonderwhy-erDesktopCommanderMCP0.2.10affected
wonderwhy-erDesktopCommanderMCP0.2.11affected
wonderwhy-erDesktopCommanderMCP0.2.12affected
wonderwhy-erDesktopCommanderMCP0.2.13affected
wonderwhy-erDesktopCommanderMCP0.2.14affected
wonderwhy-erDesktopCommanderMCP0.2.15affected
wonderwhy-erDesktopCommanderMCP0.2.16affected
wonderwhy-erDesktopCommanderMCP0.2.17affected
wonderwhy-erDesktopCommanderMCP0.2.18affected
wonderwhy-erDesktopCommanderMCP0.2.19affected
wonderwhy-erDesktopCommanderMCP0.2.20affected
wonderwhy-erDesktopCommanderMCP0.2.21affected
wonderwhy-erDesktopCommanderMCP0.2.22affected
wonderwhy-erDesktopCommanderMCP0.2.23affected
wonderwhy-erDesktopCommanderMCP0.2.24affected
wonderwhy-erDesktopCommanderMCP0.2.25affected
wonderwhy-erDesktopCommanderMCP0.2.26affected
wonderwhy-erDesktopCommanderMCP0.2.27affected
wonderwhy-erDesktopCommanderMCP0.2.28affected
wonderwhy-erDesktopCommanderMCP0.2.29affected
wonderwhy-erDesktopCommanderMCP0.2.30affected
wonderwhy-erDesktopCommanderMCP0.2.31affected
wonderwhy-erDesktopCommanderMCP0.2.32affected
wonderwhy-erDesktopCommanderMCP0.2.33affected
wonderwhy-erDesktopCommanderMCP0.2.34affected
wonderwhy-erDesktopCommanderMCP0.2.35affected
wonderwhy-erDesktopCommanderMCP0.2.36affected
wonderwhy-erDesktopCommanderMCP0.2.37affected
wonderwhy-erDesktopCommanderMCP0.2.38affected
wonderwhy-erDesktopCommanderMCP0.2.39unaffected

Weaknesses

  • CWE-1333: Inefficient Regular Expression Complexity
  • CWE-400: Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References