{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/vetcoders/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7446"}],"_cs_exploited":false,"_cs_products":["mcp-server-semgrep 1.0.0"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","mcp-server-semgrep"],"_cs_type":"advisory","_cs_vendors":["VetCoders"],"content_html":"\u003cp\u003eA critical OS command injection vulnerability has been identified in VetCoders mcp-server-semgrep version 1.0.0. The vulnerability resides within the MCP Interface component, specifically affecting the \u003ccode\u003eanalyze_results\u003c/code\u003e, \u003ccode\u003efilter_results\u003c/code\u003e, \u003ccode\u003eexport_results\u003c/code\u003e, \u003ccode\u003ecompare_results\u003c/code\u003e, \u003ccode\u003escan_directory\u003c/code\u003e, and \u003ccode\u003ecreate_rule\u003c/code\u003e functions in the \u003ccode\u003esrc/index.ts\u003c/code\u003e file. Successful exploitation allows for remote attackers to inject and execute arbitrary operating system commands on the affected system. The vulnerability is publicly known and actively exploitable. VetCoders has released version 1.0.1 to address this issue, with patch \u003ccode\u003e141335da044e53c3f5b315e0386e01238405b771\u003c/code\u003e containing the fix. Defenders should prioritize upgrading to version 1.0.1 to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of VetCoders mcp-server-semgrep version 1.0.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting one of the vulnerable functions: \u003ccode\u003eanalyze_results\u003c/code\u003e, \u003ccode\u003efilter_results\u003c/code\u003e, \u003ccode\u003eexport_results\u003c/code\u003e, \u003ccode\u003ecompare_results\u003c/code\u003e, \u003ccode\u003escan_directory\u003c/code\u003e, or \u003ccode\u003ecreate_rule\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003eID\u003c/code\u003e argument designed to inject OS commands.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize or validate the \u003ccode\u003eID\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application executes the injected OS command using a function such as \u003ccode\u003eexec\u003c/code\u003e, \u003ccode\u003esystem\u003c/code\u003e, or equivalent within the affected functions in \u003ccode\u003esrc/index.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected command executes with the privileges of the mcp-server-semgrep process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, lateral movement, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected server. This could lead to complete system compromise, including data theft, modification, or destruction. Depending on the server\u0026rsquo;s role and the attacker\u0026rsquo;s objectives, this could result in significant financial loss, reputational damage, and disruption of services. There is no information about specific victim counts or targeted sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to VetCoders mcp-server-semgrep version 1.0.1 to remediate the vulnerability as identified in CVE-2026-7446.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/src/index.ts\u003c/code\u003e file with unusual or potentially malicious input in the \u003ccode\u003eID\u003c/code\u003e argument, using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input, especially the \u003ccode\u003eID\u003c/code\u003e parameter, to prevent command injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:17:01Z","date_published":"2026-04-30T00:17:01Z","id":"/briefs/2026-05-vetcoders-command-injection/","summary":"VetCoders mcp-server-semgrep version 1.0.0 is vulnerable to remote OS command injection due to manipulation of the ID argument in several functions of the MCP Interface component.","title":"VetCoders mcp-server-semgrep OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-vetcoders-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — VetCoders","version":"https://jsonfeed.org/version/1.1"}