CVE-2026-7715

Summary

A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
ravenwitsmcp-server-arangodb0.4.0affected
ravenwitsmcp-server-arangodb0.4.1affected
ravenwitsmcp-server-arangodb0.4.2affected
ravenwitsmcp-server-arangodb0.4.3affected
ravenwitsmcp-server-arangodb0.4.4affected
ravenwitsmcp-server-arangodb0.4.5affected
ravenwitsmcp-server-arangodb0.4.6affected
ravenwitsmcp-server-arangodb0.4.7affected

Weaknesses

  • CWE-22: Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References