CVE-2026-5603
elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection
A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
elgentos · magento2-dev-mcppublic PoCs found — 1
cve_referencegithub.com/user-attachments/files/25895777/magento2-dev-mcp_bug.pdfunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/elgentos/magento2-dev-mcp/https://github.com/elgentos/magento2-dev-mcp/commit/aa1ffcc0aea1b212c69787391783af27df15ae9dhttps://github.com/elgentos/magento2-dev-mcp/issues/4https://github.com/elgentos/magento2-dev-mcp/pull/5https://github.com/user-attachments/files/25895777/magento2-dev-mcp_bug.pdfhttps://vuldb.com/submit/784864https://vuldb.com/vuln/355395https://vuldb.com/vuln/355395/cti