{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5802", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T14:29:32.763Z", "datePublished": "2026-04-08T20:00:24.876Z", "dateUpdated": "2026-04-10T20:47:03.503Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T20:00:24.876Z"}, "title": "idachev mcp-javadc HTTP os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "idachev", "product": "mcp-javadc", "versions": [{"version": "1.2.0", "status": "affected"}, {"version": "1.2.1", "status": "affected"}, {"version": "1.2.2", "status": "affected"}, {"version": "1.2.3", "status": "affected"}, {"version": "1.2.4", "status": "affected"}], "modules": ["HTTP Interface"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T16:34:37.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BruceJin (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356241", "name": "VDB-356241 | idachev mcp-javadc HTTP os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356241/cti", "name": "VDB-356241 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786974", "name": "Submit #786974 | idachev @idachev/mcp-javadc 1.2.4 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/idachev/mcp-javadc/issues/7", "tags": ["issue-tracking"]}, {"url": "https://github.com/BruceJqs/public_exp/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/idachev/mcp-javadc/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:46:37.536090Z", "id": "CVE-2026-5802", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:47:03.503Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5802", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:46:37.536090Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:46:59.768Z"}}], "cna": {"title": "idachev mcp-javadc HTTP os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "BruceJin (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "idachev", "modules": ["HTTP Interface"], "product": "mcp-javadc", "versions": [{"status": "affected", "version": "1.2.0"}, {"status": "affected", "version": "1.2.1"}, {"status": "affected", "version": "1.2.2"}, {"status": "affected", "version": "1.2.3"}, {"status": "affected", "version": "1.2.4"}]}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-08T16:34:37.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356241", "name": "VDB-356241 | idachev mcp-javadc HTTP os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356241/cti", "name": "VDB-356241 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786974", "name": "Submit #786974 | idachev @idachev/mcp-javadc 1.2.4 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/idachev/mcp-javadc/issues/7", "tags": ["issue-tracking"]}, {"url": "https://github.com/BruceJqs/public_exp/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/idachev/mcp-javadc/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T20:00:24.876Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5802", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:47:03.503Z", "dateReserved": "2026-04-08T14:29:32.763Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-08T20:00:24.876Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5802", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-08T20:16:27.340", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/BruceJqs/public_exp/issues/2"}, {"source": "cna@vuldb.com", "url": "https://github.com/idachev/mcp-javadc/"}, {"source": "cna@vuldb.com", "url": "https://github.com/idachev/mcp-javadc/issues/7"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/786974"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356241"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356241/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mcp-javadc", "source": "cna", "vendor": "idachev"}, "product": "mcp-javadc", "vendor": "idachev"}], "analysis": {"en": {"generated_at": "2026-04-08T21:52:02.143883+00:00", "value": {"mitigation_remediation": ["Check the author\u2019s repository or official vendor site for a patched release and upgrade to a fixed version as soon as one is available.", "Limit exposure of the HTTP interface to trusted networks only, using firewall rules, IP whitelisting, or VPN tunnel requirements.", "Instrument the service to log incoming jarFilePath values and investigate any suspicious characters or command separators such as \u201c;\u201d, \u201c&&\u201d, or \u201c|\u201d.", "If code changes are possible, insert server\u2011side validation or sanitization to reject or escape any shell metacharacters before the jarFilePath value is utilized."], "summary": {"action": "Immediate Patch", "impact": "Remote OS Command Injection"}, "threat_synthesis": {"affected_systems": "The flaw exists in idachev mcp-javadc releases up to version 1.2.4. It is triggered through a web\u2011based HTTP endpoint that is exposed to network traffic, meaning any deployment of the affected application, regardless of underlying operating system, is susceptible.", "description_and_impact": "An HTTP interface in idachev mcp-javadc accepts a jarFilePath argument that is passed directly to the operating system\u2019s command line, creating a classic OS command injection flaw identified by CWE-77. The vulnerability also falls under the broader Command Injection category (CWE-78), allowing an attacker to inject arbitrary shell commands. Successful exploitation grants the attacker the ability to execute any command on the host, potentially leading to full system compromise, data theft, or denial of service.", "risk_and_exploitability": "With a CVSS score of 6.9 the vulnerability signals moderate severity, but the publicly available proof\u2011of\u2011concept means an attack can be launched remotely by sending crafted requests. The lack of an EPSS score and absence from the CISA KEV catalog do not reduce the risk; the operator still faces the possibility of local or remote compromise without requiring authenticated access or privileged rights. The architecture allows direct command execution, making the threat highly actionable for a motivated attacker."}}}}, "created": "2026-04-09T08:18:08.251596+00:00", "updated": "2026-04-09T08:27:30.750191+00:00", "vendors": ["idachev", "idachev$PRODUCT$mcp-javadc"]}