{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4496", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-20T09:15:25.741Z", "datePublished": "2026-03-20T18:32:13.041Z", "dateUpdated": "2026-03-25T13:59:02.878Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-20T18:32:13.041Z"}, "title": "sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "sigmade", "product": "Git-MCP-Server", "versions": [{"version": "785aa159f262a02d5791a5d8a8e13c507ac42880", "status": "affected"}], "modules": ["show_merge_diff/quick_merge_summary/show_file_diff"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-20T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-20T10:21:37.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yinci Chen (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352045", "name": "VDB-352045 | sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352045", "name": "VDB-352045 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773796", "name": "Submit #773796 | sigmade Git-MCP-Server <=1.0.0 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sigmade/Git-MCP-Server/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf", "tags": ["exploit"]}, {"url": "https://github.com/sigmade/Git-MCP-Server/pull/2", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/sigmade/Git-MCP-Server/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:58:53.941904Z", "id": "CVE-2026-4496", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:59:02.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4496", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:58:53.941904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:58:58.624Z"}}], "cna": {"title": "sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "Yinci Chen (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "sigmade", "modules": ["show_merge_diff/quick_merge_summary/show_file_diff"], "product": "Git-MCP-Server", "versions": [{"status": "affected", "version": "785aa159f262a02d5791a5d8a8e13c507ac42880"}]}], "timeline": [{"lang": "en", "time": "2026-03-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-20T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-20T10:21:37.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352045", "name": "VDB-352045 | sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352045", "name": "VDB-352045 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773796", "name": "Submit #773796 | sigmade Git-MCP-Server <=1.0.0 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sigmade/Git-MCP-Server/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf", "tags": ["exploit"]}, {"url": "https://github.com/sigmade/Git-MCP-Server/pull/2", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/sigmade/Git-MCP-Server/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-20T18:32:13.041Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4496", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:59:02.878Z", "dateReserved": "2026-03-20T09:15:25.741Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-20T18:32:13.041Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-4496", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-20T19:16:20.310", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/sigmade/Git-MCP-Server/"}, {"source": "cna@vuldb.com", "url": "https://github.com/sigmade/Git-MCP-Server/issues/1"}, {"source": "cna@vuldb.com", "url": "https://github.com/sigmade/Git-MCP-Server/pull/2"}, {"source": "cna@vuldb.com", "url": "https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352045"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352045"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.773796"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "785aa159f262a02d5791a5d8a8e13c507ac42880"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Git-MCP-Server", "source": "cna", "vendor": "sigmade"}, "product": "git-mcp-server", "vendor": "sigmade"}], "analysis": {"en": {"generated_at": "2026-03-20T19:50:19.599837+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011provided patch or update to a fixed release as soon as it becomes available.", "Restrict local access to the Git\u2011MCP\u2011Server environment so that only trusted users can interact with the service.", "If no patch is available, consider disabling the child_process.exec usage or rewriting that logic to avoid passing untrusted data to the shell.", "Implement logging and monitoring to detect unexpected shell command execution within the application.", "Assess the risk of current deployments and, if necessary, migrate to a different implementation or vendor that provides secure handling of command execution."], "summary": {"action": "Apply Patch", "impact": "Local OS Command Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Sigmade Git-MCP-Server version up to commit 785aa159f262a02d5791a5d8a8e13c507ac42880. Because the project follows a rolling release model, no fixed release is documented and the vulnerability exists in all prior commits until a patch is applied.", "description_and_impact": "The vulnerability occurs in the child_process.exec call within the gitUtils.ts file. Unvalidated input enables an attacker to execute arbitrary commands on the host, potentially leading to full compromise of the system. This matches known weaknesses CWE-77 and CWE-78.", "risk_and_exploitability": "The CVSS score is 4.8 indicating moderate severity, and the vulnerability is not listed in KEV. Since the attack requires local access, the risk is confined to environments where an attacker can run code locally or gain local privileges. Nevertheless, the exploit code has been publicly released, and the vendor did not respond to disclosure, increasing the likelihood of exploitation."}}}}, "created": "2026-03-23T09:52:59.739955+00:00", "updated": "2026-03-25T14:34:55.505664+00:00", "vendors": ["sigmade", "sigmade$PRODUCT$git-mcp-server"]}