CVE-2026-10691: Inefficient Regular Expression Complexity in wonderwhy-er DesktopCommanderMCP
CVE-2026-10691 is a medium severity vulnerability in wonderwhy-er DesktopCommanderMCP versions up to 0. 2. 38. It involves inefficient regular expression complexity in the start_search component, specifically in the src/search-manager. ts file. This flaw can be triggered remotely by manipulating the SearchResult[] argument, potentially leading to performance degradation or denial of service. A patch fixing this issue is available in version 0. 2. 39, identified by commit 4ce845f8749b6a159b57b38dcc3357f7222a8078. Users are advised to upgrade to the fixed version to mitigate the risk.
AI Analysis
Technical Summary
The vulnerability CVE-2026-10691 affects wonderwhy-er DesktopCommanderMCP up to version 0.2.38 due to inefficient regular expression complexity in the start_search component (src/search-manager.ts). This can be exploited remotely by manipulating the SearchResult[] argument, causing excessive resource consumption. The issue is resolved in version 0.2.39 with a specific patch. The CVSS 4.0 score is 5.3 (medium severity), indicating a network attack vector with low attack complexity and no user interaction required.
Potential Impact
Exploitation of this vulnerability can lead to inefficient processing of regular expressions, potentially causing denial of service or degraded performance of the affected application. The attack can be initiated remotely without user interaction, but requires low privileges. There is no indication of data confidentiality, integrity, or availability compromise beyond performance impact.
Mitigation Recommendations
A fix is available in wonderwhy-er DesktopCommanderMCP version 0.2.39, which addresses the inefficient regular expression complexity issue. It is recommended to upgrade affected installations to this version. No other mitigation steps are specified or required.
CVE-2026-10691: Inefficient Regular Expression Complexity in wonderwhy-er DesktopCommanderMCP
Description
CVE-2026-10691 is a medium severity vulnerability in wonderwhy-er DesktopCommanderMCP versions up to 0. 2. 38. It involves inefficient regular expression complexity in the start_search component, specifically in the src/search-manager. ts file. This flaw can be triggered remotely by manipulating the SearchResult[] argument, potentially leading to performance degradation or denial of service. A patch fixing this issue is available in version 0. 2. 39, identified by commit 4ce845f8749b6a159b57b38dcc3357f7222a8078. Users are advised to upgrade to the fixed version to mitigate the risk.
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-10691 affects wonderwhy-er DesktopCommanderMCP up to version 0.2.38 due to inefficient regular expression complexity in the start_search component (src/search-manager.ts). This can be exploited remotely by manipulating the SearchResult[] argument, causing excessive resource consumption. The issue is resolved in version 0.2.39 with a specific patch. The CVSS 4.0 score is 5.3 (medium severity), indicating a network attack vector with low attack complexity and no user interaction required.
Potential Impact
Exploitation of this vulnerability can lead to inefficient processing of regular expressions, potentially causing denial of service or degraded performance of the affected application. The attack can be initiated remotely without user interaction, but requires low privileges. There is no indication of data confidentiality, integrity, or availability compromise beyond performance impact.
Mitigation Recommendations
A fix is available in wonderwhy-er DesktopCommanderMCP version 0.2.39, which addresses the inefficient regular expression complexity issue. It is recommended to upgrade affected installations to this version. No other mitigation steps are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-06-02T15:40:41.889Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1f6f72e29bf47b501470fa
Added to database: 6/3/2026, 12:04:02 AM
Last enriched: 6/3/2026, 12:18:42 AM
Last updated: 6/3/2026, 1:22:18 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.