{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5833", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T17:15:28.223Z", "datePublished": "2026-04-09T02:15:14.582Z", "dateUpdated": "2026-04-09T12:59:48.172Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T02:15:14.582Z"}, "title": "awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "awwaiid", "product": "mcp-server-taskwarrior", "versions": [{"version": "1.0.0", "status": "affected"}, {"version": "1.0.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T19:20:36.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yinci Chen (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356289", "name": "VDB-356289 | awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356289/cti", "name": "VDB-356289 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/789810", "name": "Submit #789810 | awwaiid mcp-server-taskwarrior <=1.0.1 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/issues/8", "tags": ["issue-tracking"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/issues/8#issuecomment-4139402095", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/25923228/mcp-server-taskwarrior_bug.pdf", "tags": ["exploit"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/commit/1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2", "tags": ["patch"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T12:59:39.595981Z", "id": "CVE-2026-5833", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T12:59:48.172Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5833", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T12:59:39.595981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T12:59:43.755Z"}}], "cna": {"tags": ["x_open-source"], "title": "awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection", "credits": [{"lang": "en", "type": "reporter", "value": "Yinci Chen (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "awwaiid", "product": "mcp-server-taskwarrior", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.0.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-08T19:20:36.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356289", "name": "VDB-356289 | awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356289/cti", "name": "VDB-356289 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/789810", "name": "Submit #789810 | awwaiid mcp-server-taskwarrior <=1.0.1 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/issues/8", "tags": ["issue-tracking"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/issues/8#issuecomment-4139402095", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/25923228/mcp-server-taskwarrior_bug.pdf", "tags": ["exploit"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/commit/1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2", "tags": ["patch"]}, {"url": "https://github.com/awwaiid/mcp-server-taskwarrior/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T02:15:14.582Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5833", "state": "PUBLISHED", "dateUpdated": "2026-04-09T12:59:48.172Z", "dateReserved": "2026-04-08T17:15:28.223Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-09T02:15:14.582Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "id": "CVE-2026-5833", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-09T04:17:16.900", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/awwaiid/mcp-server-taskwarrior/"}, {"source": "cna@vuldb.com", "url": "https://github.com/awwaiid/mcp-server-taskwarrior/commit/1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2"}, {"source": "cna@vuldb.com", "url": "https://github.com/awwaiid/mcp-server-taskwarrior/issues/8"}, {"source": "cna@vuldb.com", "url": "https://github.com/awwaiid/mcp-server-taskwarrior/issues/8#issuecomment-4139402095"}, {"source": "cna@vuldb.com", "url": "https://github.com/user-attachments/files/25923228/mcp-server-taskwarrior_bug.pdf"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/789810"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356289"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356289/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mcp-server-taskwarrior", "source": "cna", "vendor": "awwaiid"}, "product": "mcp-server-taskwarrior", "vendor": "awwaiid"}], "analysis": {"en": {"generated_at": "2026-04-09T04:51:14.128451+00:00", "value": {"mitigation_remediation": ["Upgrade mcp\u2011server\u2011taskwarrior to the fixed version that includes commit 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2"], "summary": {"action": "Apply Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the awwaiid mcp\u2011server\u2011taskwarrior package in all releases up to 1.0.1. Users running those versions on their local infrastructure are susceptible; any machine where the service is deployed locally can be impacted.", "description_and_impact": "The flaw resides in the server.setRequestHandler function in index.ts, where the Identifier argument is accepted without proper validation. A crafted value can inject shell commands that the server executes, allowing a local attacker to run arbitrary code on the host with the privileges of the mcp\u2011server\u2011taskwarrior process. The weakness maps to CWE\u201174 (Improper Neutralization of Input During Web Page Generation) and CWE\u201177 (Improper Access Control).", "risk_and_exploitability": "The CVSS base score of 4.8 indicates a moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting limited known exploitation. However, the public disclosure and the confirmed command\u2011injection capability mean that a local attacker, such as an insider or a compromised local process, could leverage this flaw. The exploitation requires local access to generate a crafted request to the server, reducing the risk of widespread remote attacks."}}}}, "created": "2026-04-09T08:15:49.216746+00:00", "updated": "2026-04-09T08:25:15.813213+00:00", "vendors": ["awwaiid", "awwaiid$PRODUCT$mcp-server-taskwarrior"]}