CVE-2026-7404: Relative Path Traversal in getsimpletool mcpo-simple-server
CVE-2026-7404 is a medium severity vulnerability in getsimpletool mcpo-simple-server versions up to 0. 2. 0. It involves a relative path traversal weakness in the delete_shared_prompt function of the prompt_manager component. This flaw allows remote attackers to manipulate input arguments to traverse directories improperly. The vulnerability has a CVSS 4. 0 base score of 6. 9. Although an exploit is publicly available, the vendor has not yet responded or issued a patch.
AI Analysis
Technical Summary
This vulnerability affects the delete_shared_prompt function in src/mcpo_simple_server/services/prompt_manager/base_manager.py of getsimpletool mcpo-simple-server versions 0.1 and 0.2.0. The issue is a relative path traversal caused by improper validation of the 'detail' argument, enabling remote attackers to access or delete files outside the intended directory scope. The vulnerability is remotely exploitable without authentication or user interaction. The project was notified early but has not provided a fix or mitigation guidance. No official patch or workaround is currently available.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform unauthorized file system operations by traversing directories outside the intended path. This may lead to deletion or manipulation of arbitrary files on the server running the affected software. The CVSS 4.0 score of 6.9 reflects a medium severity impact with low complexity and no required privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or released a fix, users should consider restricting network access to the affected service and monitor for suspicious activity related to file operations. Avoid exposing the mcpo-simple-server to untrusted networks until a patch or official mitigation is available.
CVE-2026-7404: Relative Path Traversal in getsimpletool mcpo-simple-server
Description
CVE-2026-7404 is a medium severity vulnerability in getsimpletool mcpo-simple-server versions up to 0. 2. 0. It involves a relative path traversal weakness in the delete_shared_prompt function of the prompt_manager component. This flaw allows remote attackers to manipulate input arguments to traverse directories improperly. The vulnerability has a CVSS 4. 0 base score of 6. 9. Although an exploit is publicly available, the vendor has not yet responded or issued a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the delete_shared_prompt function in src/mcpo_simple_server/services/prompt_manager/base_manager.py of getsimpletool mcpo-simple-server versions 0.1 and 0.2.0. The issue is a relative path traversal caused by improper validation of the 'detail' argument, enabling remote attackers to access or delete files outside the intended directory scope. The vulnerability is remotely exploitable without authentication or user interaction. The project was notified early but has not provided a fix or mitigation guidance. No official patch or workaround is currently available.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform unauthorized file system operations by traversing directories outside the intended path. This may lead to deletion or manipulation of arbitrary files on the server running the affected software. The CVSS 4.0 score of 6.9 reflects a medium severity impact with low complexity and no required privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or released a fix, users should consider restricting network access to the affected service and monitor for suspicious activity related to file operations. Avoid exposing the mcpo-simple-server to untrusted networks until a patch or official mitigation is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-29T12:56:01.921Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f26bc7cbff5d861048aa35
Added to database: 4/29/2026, 8:36:23 PM
Last enriched: 4/29/2026, 8:51:45 PM
Last updated: 4/29/2026, 9:58:25 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.