CVE-2026-13489

78 xiaozhi-esp32 MCP Response mcp_server.cc ParseMessage improper synchronization

CVSS 2.3 LOWEPSS 0.2%CWE-662

Vexday Risk Score

28Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 2.3EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

28 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A weakness has been identified in 78 xiaozhi-esp32 up to 2.2.6. Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler. This manipulation causes improper synchronization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Affected products

78 · xiaozhi-esp32

public PoCs found — 1

cve_referencegithub.com/78/xiaozhi-esp32/issues/2020unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/78/xiaozhi-esp32/https://github.com/78/xiaozhi-esp32/issues/2020 https://github.com/78/xiaozhi-esp32/pull/2021 https://vuldb.com/cve/CVE-2026-13489 https://vuldb.com/submit/838198 https://vuldb.com/vuln/374486 https://vuldb.com/vuln/374486/cti