privsim mcp-test-runner MCP index.ts child_process.spawn os command injection_CVE-2026-7730

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Basic Information

ID CVE-2026-7730

Source VulDB

Published May 4, 2026 at 04:00

Affected Product

Vendor privsim

Product mcp-test-runner

Version 0.2.0

Affected Versions privsim mcp-test-runner 0.2.0

CWE Classification

CWE-78 CWE-77

References

{
    "lastseen": "",
    "description": "A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
    "published": "2026-05-04T04:00:19.191Z",
    "modified": "2026-05-04T04:00:19.191Z",
    "type": "cve",
    "title": "privsim mcp-test-runner MCP index.ts child_process.spawn os command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/360905\nhttps://vuldb.com/vuln/360905/cti\nhttps://vuldb.com/submit/807541\nhttps://github.com/privsim/mcp-test-runner/issues/24\nhttps://github.com/BruceJqs/public_exp/issues/37\nhttps://github.com/privsim/mcp-test-runner/",
    "id": "CVE-2026-7730",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-77"
    ],
    "cvelist": null,
    "sourceData": "privsim mcp-test-runner 0.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mcp-test-runner",
    "version": "0.2.0",
    "vendor": "privsim",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}