CVE-2026-15522
tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 4.8EPSS 0.1%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
13 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
tugcantopaloglu · godot-mcppublic PoCs found — 1
cve_referencegithub.com/tugcantopaloglu/godot-mcp/issues/9unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
https://github.com/tugcantopaloglu/godot-mcp/https://github.com/tugcantopaloglu/godot-mcp/commit/eb63add552aa4bd9205395cf91b40654654a3cf2https://github.com/tugcantopaloglu/godot-mcp/issues/9https://github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0https://vuldb.com/cve/CVE-2026-15522https://vuldb.com/submit/854523https://vuldb.com/vuln/377851https://vuldb.com/vuln/377851/cti