CVE-2026-7039

Summary

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
tufantuncssh-mcp1.0affected
tufantuncssh-mcp1.1affected
tufantuncssh-mcp1.2affected
tufantuncssh-mcp1.3affected
tufantuncssh-mcp1.4affected
tufantuncssh-mcp1.5.0affected

Weaknesses

  • CWE-77: Command Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References