CVE-2026-6980: Command Injection in Divyanshu-hash GitPilot-MCP
A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
This vulnerability affects Divyanshu-hash GitPilot-MCP up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd. The issue lies in the repo_path function within main.py, where improper handling of the command argument leads to command injection. This allows an unauthenticated remote attacker to execute arbitrary commands on the affected system. The vulnerability is tracked as CVE-2026-6980 and is associated with CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-74 (Injection). The vendor has not provided any patch or response, and the product lacks versioning, complicating identification of unaffected versions.
Potential Impact
Successful exploitation can lead to remote command execution with no privileges required and no user interaction needed. The impact includes potential compromise of the affected system, data exposure, or further system manipulation. The CVSS score of 6.9 reflects a medium severity with low complexity and no privileges required for exploitation. Although exploit code is publicly available, there are no confirmed reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should consider applying manual code review and mitigation such as input validation or disabling the vulnerable functionality if feasible. Monitor for updates from the vendor or trusted security sources for any forthcoming patches or official mitigations.
CVE-2026-6980: Command Injection in Divyanshu-hash GitPilot-MCP
Description
A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS v4.0
Score 6.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Divyanshu-hash GitPilot-MCP up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd. The issue lies in the repo_path function within main.py, where improper handling of the command argument leads to command injection. This allows an unauthenticated remote attacker to execute arbitrary commands on the affected system. The vulnerability is tracked as CVE-2026-6980 and is associated with CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-74 (Injection). The vendor has not provided any patch or response, and the product lacks versioning, complicating identification of unaffected versions.
Potential Impact
Successful exploitation can lead to remote command execution with no privileges required and no user interaction needed. The impact includes potential compromise of the affected system, data exposure, or further system manipulation. The CVSS score of 6.9 reflects a medium severity with low complexity and no privileges required for exploitation. Although exploit code is publicly available, there are no confirmed reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should consider applying manual code review and mitigation such as input validation or disabling the vulnerable functionality if feasible. Monitor for updates from the vendor or trusted security sources for any forthcoming patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-24T18:56:48.432Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.01021
- Epss Percentile
- 0.77308
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69ed416587115cfb684e5d7d
Added to database: 4/25/2026, 10:34:13 PM
Last enriched: 5/3/2026, 7:27:45 AM
Last updated: 6/9/2026, 11:45:53 PM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.