CVE-2026-6130

Summary

A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
chatboxaichatbox1.0affected
chatboxaichatbox1.1affected
chatboxaichatbox1.2affected
chatboxaichatbox1.3affected
chatboxaichatbox1.4affected
chatboxaichatbox1.5affected
chatboxaichatbox1.6affected
chatboxaichatbox1.7affected
chatboxaichatbox1.8affected
chatboxaichatbox1.9affected
chatboxaichatbox1.10affected
chatboxaichatbox1.11affected
chatboxaichatbox1.12affected
chatboxaichatbox1.13affected
chatboxaichatbox1.14affected
chatboxaichatbox1.15affected
chatboxaichatbox1.16affected
chatboxaichatbox1.17affected
chatboxaichatbox1.18affected
chatboxaichatbox1.19affected
chatboxaichatbox1.20.0affected

Weaknesses

  • CWE-78: OS Command Injection
  • CWE-77: Command Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References