CVE-2026-7628
crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection
A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
crazyrabbitLTC · mcp-code-review-serverpublic PoCs found — 1
cve_referencegithub.com/user-attachments/files/26018245/mcp-code-review-server_bug.pdfunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/crazyrabbitLTC/mcp-code-review-server/https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4https://github.com/crazyrabbitLTC/mcp-code-review-server/pull/5https://github.com/user-attachments/files/26018245/mcp-code-review-server_bug.pdfhttps://vuldb.com/submit/806469https://vuldb.com/vuln/360574https://vuldb.com/vuln/360574/cti