{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6980", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-24T18:56:48.432Z", "datePublished": "2026-04-25T13:00:15.153Z", "dateUpdated": "2026-04-27T12:29:29.663Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T13:00:15.153Z"}, "title": "Divyanshu-hash GitPilot-MCP main.py repo_path command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Divyanshu-hash", "product": "GitPilot-MCP", "versions": [{"version": "9ed9f153ba4158a2ad230ee4871b25130da29ffd", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-24T21:01:56.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BigW (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359523", "name": "VDB-359523 | Divyanshu-hash GitPilot-MCP main.py repo_path command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359523/cti", "name": "VDB-359523 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/795502", "name": "Submit #795502 | Divyanshu-hash GitPilot-MCP 9ed9f153ba4158a2ad230ee4871b25130da29ffd Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wing3e/public_exp/issues/38", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T12:29:17.554550Z", "id": "CVE-2026-6980", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:29:29.663Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6980", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T12:29:17.554550Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:29:23.471Z"}}], "cna": {"title": "Divyanshu-hash GitPilot-MCP main.py repo_path command injection", "credits": [{"lang": "en", "type": "reporter", "value": "BigW (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Divyanshu-hash", "product": "GitPilot-MCP", "versions": [{"status": "affected", "version": "9ed9f153ba4158a2ad230ee4871b25130da29ffd"}]}], "timeline": [{"lang": "en", "time": "2026-04-24T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-24T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-24T21:01:56.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359523", "name": "VDB-359523 | Divyanshu-hash GitPilot-MCP main.py repo_path command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359523/cti", "name": "VDB-359523 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/795502", "name": "Submit #795502 | Divyanshu-hash GitPilot-MCP 9ed9f153ba4158a2ad230ee4871b25130da29ffd Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wing3e/public_exp/issues/38", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T13:00:15.153Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6980", "state": "PUBLISHED", "dateUpdated": "2026-04-27T12:29:29.663Z", "dateReserved": "2026-04-24T18:56:48.432Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-25T13:00:15.153Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6980", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-25T14:16:00.120", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/wing3e/public_exp/issues/38"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/795502"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359523"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359523/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "9ed9f153ba4158a2ad230ee4871b25130da29ffd"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GitPilot-MCP", "source": "cna", "vendor": "Divyanshu-hash"}, "product": "gitpilot-mcp", "vendor": "divyanshu-hash"}], "analysis": {"en": {"generated_at": "2026-04-29T01:36:42.412652+00:00", "value": {"mitigation_remediation": ["If a patched revision has been released by the vendor, upgrade GitPilot\u2011MCP to a commit newer than 9ed9f153ba4158a2ad230ee4871b25130da29ffd.", "Add input validation or sanitization in the repo_path handler: whitelist acceptable characters or enforce path resolution before passing to the shell, or replace the shell call with a safe API such as subprocess.run with shell=False.", "If the endpoint must remain exposed, limit access by implementing network\u2011level controls (e.g., firewall rules, VPN, or authentication) and monitor for suspicious command execution attempts.", "Consider applying a temporary code patch that removes the repo_path functionality or redirects the endpoint to a safe stub until a permanent fix is available."], "summary": {"action": "Patch ASAP", "impact": "Remote Command Execution via Command Injection"}, "threat_synthesis": {"affected_systems": "All releases of Divyanshu\u2011hash GitPilot\u2011MCP up to the commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd are affected. The product does not use formal versioning, so finer resolution of affected or unaffected builds is unavailable.", "description_and_impact": "The vulnerability resides in the repo_path handler of the main.py module of Divyanshu\u2011hash GitPilot\u2011MCP. The function takes a user\u2011supplied path and passes it directly to the operating system shell without any sanitization, a classic command injection flaw identified by CWE\u201174 and CWE\u201177. An attacker who can influence the command argument can cause the service to execute arbitrary shell commands on the host, potentially compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, while the EPSS score of 1% suggests a low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in CISA KEV, but the public disclosure and the ability to launch attacks remotely via the exposed repo_path endpoint raise considerable concern. An attacker with network reach to the service could trigger the injection; authentication requirements are not specified in the description, so the exact scope remains uncertain."}}}}, "created": "2026-04-27T19:52:48.061792+00:00", "updated": "2026-04-29T01:45:26.019871+00:00", "vendors": ["divyanshu-hash", "divyanshu-hash$PRODUCT$gitpilot-mcp"]}