{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5603", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-05T13:58:08.432Z", "datePublished": "2026-04-05T22:30:16.507Z", "dateUpdated": "2026-04-06T14:50:10.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T22:30:16.507Z"}, "title": "elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "elgentos", "product": "magento2-dev-mcp", "versions": [{"version": "1.0.0", "status": "affected"}, {"version": "1.0.1", "status": "affected"}, {"version": "1.0.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-05T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-05T16:03:13.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yinci Chen (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355395", "name": "VDB-355395 | elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355395/cti", "name": "VDB-355395 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/784864", "name": "Submit #784864 | elgentos magento2-dev-mcp <=1.0.2 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/issues/4", "tags": ["issue-tracking"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/pull/5", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/user-attachments/files/25895777/magento2-dev-mcp_bug.pdf", "tags": ["exploit"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/commit/aa1ffcc0aea1b212c69787391783af27df15ae9d", "tags": ["patch"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T14:33:52.746299Z", "id": "CVE-2026-5603", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:50:10.379Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5603", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T14:33:52.746299Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:33:53.773Z"}}], "cna": {"tags": ["x_open-source"], "title": "elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "Yinci Chen (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "elgentos", "product": "magento2-dev-mcp", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.0.1"}, {"status": "affected", "version": "1.0.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-05T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-05T16:03:13.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355395", "name": "VDB-355395 | elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355395/cti", "name": "VDB-355395 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/784864", "name": "Submit #784864 | elgentos magento2-dev-mcp <=1.0.2 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/issues/4", "tags": ["issue-tracking"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/pull/5", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/user-attachments/files/25895777/magento2-dev-mcp_bug.pdf", "tags": ["exploit"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/commit/aa1ffcc0aea1b212c69787391783af27df15ae9d", "tags": ["patch"]}, {"url": "https://github.com/elgentos/magento2-dev-mcp/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T22:30:16.507Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5603", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:50:10.379Z", "dateReserved": "2026-04-05T13:58:08.432Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T22:30:16.507Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue."}], "id": "CVE-2026-5603", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T23:16:20.390", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/elgentos/magento2-dev-mcp/"}, {"source": "cna@vuldb.com", "url": "https://github.com/elgentos/magento2-dev-mcp/commit/aa1ffcc0aea1b212c69787391783af27df15ae9d"}, {"source": "cna@vuldb.com", "url": "https://github.com/elgentos/magento2-dev-mcp/issues/4"}, {"source": "cna@vuldb.com", "url": "https://github.com/elgentos/magento2-dev-mcp/pull/5"}, {"source": "cna@vuldb.com", "url": "https://github.com/user-attachments/files/25895777/magento2-dev-mcp_bug.pdf"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/784864"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355395"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355395/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "magento2-dev-mcp", "source": "cna", "vendor": "elgentos"}, "product": "magento2-dev-mcp", "vendor": "elgentos"}], "analysis": {"en": {"generated_at": "2026-04-06T01:50:44.258148+00:00", "value": {"mitigation_remediation": ["Apply the patch identified by commit aa1ffcc0aea1b212c69787391783af27df15ae9d or upgrade elgentos magento2-dev-mcp to a version newer than 1.0.2.", "Verify that the executeMagerun2Command function no longer accepts untrusted input after the update or patch.", "Restrict local access to the system running the component so that only trusted users can invoke it.", "Conduct a security scan or code review to ensure no other command\u2011injection paths remain."], "summary": {"action": "Apply Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "The affected product is elgentos magento2-dev-mcp, with all releases up to and including version 1.0.2 vulnerable. No other vendors or products are listed as impacted.", "description_and_impact": "The vulnerability resides in the executeMagerun2Command function within the elgentos magento2-dev-mcp package, allowing local attackers to inject arbitrary operating\u2011system commands. This flaw permits execution of commands on the system where the component runs, potentially compromising confidentiality, integrity, and availability of that environment. The weakness is categorized as OS Command Injection (CWE-77, CWE-78).", "risk_and_exploitability": "The CVSS base score is 4.8, which places the vulnerability in the Low severity range. The EPSS score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires local access, as stated by the vendor, and a public exploit is available. While remote exploitation is not feasible, the presence of a local command\u2011injection vector remains a concern for systems that allow local users to invoke the component."}}}}, "created": "2026-04-06T20:22:13.849973+00:00", "updated": "2026-04-06T21:48:05.098221+00:00", "vendors": ["elgentos", "elgentos$PRODUCT$magento2-dev-mcp"]}