Threat Intelligence Database

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.

CVE-2026-7215 is a command injection vulnerability in the egtai gmx-vmd-mcp product version 0.1.0. The flaw exists in the launch_vmd_gui_tool function within the mcp_server.py file, where manipulation of the structure_file or trajectory_file arguments can lead to command injection. This vulnerability can be exploited remotely without authentication. The issue was reported to the project early, but no response or fix has been provided yet. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity.

A vulnerability was detected in ef10007 MLOps_MCP 1.0.0. This impacts an unknown function of the file fastmcp_server.py of the component save_file Tool. The manipulation of the argument filename/destination results in path traversal. The attack may be performed from remote. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-7211 is a command injection vulnerability in dvladimirov MCP version 0.1.0, specifically in the GitSearchRequest function of the mcp_server.py file within the Git Search API component. An attacker can remotely manipulate the repo_url or pattern argument to execute arbitrary commands. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity. Although the issue was reported early, the project has not yet responded or provided a fix. Exploit code is publicly available, but no known exploits in the wild have been reported to date.