CVE-2026-5023

A vulnerability has been found in DeDeveloper23 codebase-mcp up to 3ec749d237dd8eabbeef48657cf917275792fde6. This vulnerability affects the function getCodebase/getRemoteCodebase/saveCodebase of the file src/tools/codebase.ts of the component RepoMix Command Handler. Such manipulation leads to os command injection. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 3.1 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/DeDeveloper23/codebase-mcp/
https://github.com/DeDeveloper23/codebase-mcp/issues/7
https://vuldb.com/submit/778348
https://vuldb.com/vuln/353907
https://vuldb.com/vuln/353907/cti

Configurations

No configuration.

History

24 Apr 2026, 16:36

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una vulnerabilidad en DeDeveloper23 codebase-mcp hasta 3ec749d237dd8eabbeef48657cf917275792fde6. Esta vulnerabilidad afecta a la función getCodebase/getRemoteCodebase/saveCodebase del archivo src/tools/codebase.ts del componente Gestor de Comandos RepoMix. Dicha manipulación conduce a una inyección de comandos del sistema operativo. El ataque debe realizarse localmente. El exploit ha sido divulgado al público y puede ser utilizado. Este producto implementa un lanzamiento continuo para la entrega constante, lo que significa que la información de la versión para las versiones afectadas o actualizadas no está disponible. El proyecto fue informado del problema con antelación a través de un informe de incidencias, pero aún no ha respondido.

29 Mar 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-29 02:16

Updated : 2026-04-29 01:00

NVD link : CVE-2026-5023

Mitre link : CVE-2026-5023

CVE.ORG link : CVE-2026-5023

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

5.3 /10