<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Idachev - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/idachev/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/idachev/feed.xml" rel="self" type="application/rss+xml"/><item><title>idachev mcp-javadc OS Command Injection via HTTP Interface (CVE-2026-5802)</title><link>https://feed.craftedsignal.io/briefs/2026-04-mcp-javadc-command-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-04-mcp-javadc-command-injection/</guid><description>A remote command injection vulnerability (CVE-2026-5802) exists in idachev mcp-javadc up to version 1.2.4 via the HTTP Interface by manipulating the jarFilePath argument, allowing unauthenticated attackers to execute arbitrary OS commands.</description><content:encoded><![CDATA[<p>A critical OS command injection vulnerability, CVE-2026-5802, has been identified in idachev mcp-javadc, a Java decompiler, up to version 1.2.4. The vulnerability resides within the HTTP Interface component. By manipulating the <code>jarFilePath</code> argument, a remote attacker can inject and execute arbitrary operating system commands on the server. This vulnerability is remotely exploitable without authentication, increasing the severity. Publicly available exploits exist, potentially leading to widespread exploitation. The vendor has been notified through an issue report but has not yet responded.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a malicious HTTP request to the vulnerable <code>mcp-javadc</code> server.</li>
<li>The HTTP request targets the HTTP Interface component.</li>
<li>The attacker crafts the request to manipulate the <code>jarFilePath</code> argument.</li>
<li>The server-side code fails to properly sanitize the <code>jarFilePath</code> argument.</li>
<li>The unsanitized <code>jarFilePath</code> argument is passed to an operating system command.</li>
<li>The injected OS command is executed by the server with the privileges of the <code>mcp-javadc</code> process.</li>
<li>The attacker gains arbitrary code execution on the server.</li>
<li>The attacker can then perform further actions, such as data exfiltration, lateral movement, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-5802 allows unauthenticated remote attackers to execute arbitrary operating system commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, and denial of service. As this vulnerability affects a software development tool, successful attacks could compromise software build pipelines, leading to supply chain attacks. The number of potential victims is currently unknown, but given the publicly available exploit, the risk of widespread exploitation is high.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply available patches for <code>mcp-javadc</code> if they become available.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious JarFilePath Parameter in HTTP Request</code> to identify exploitation attempts targeting the <code>jarFilePath</code> parameter.</li>
<li>Monitor web server logs for unusual HTTP requests containing suspicious characters or command sequences within the <code>jarFilePath</code> parameter.</li>
<li>Implement input validation and sanitization measures on the server-side to prevent command injection.</li>
<li>Place the affected server in an isolated network segment to limit the impact of potential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>command-injection</category><category>web-application</category><category>cve-2026-5802</category></item></channel></rss>