Remote Code Execution Vulnerability in DocsGPT by Arc53
CVE-2026-26015

10CRITICAL

Key Information:

Vendor: Arc53
Status: Docsgpt
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-26015?

DocsGPT, a documentation chat powered by GPT, has a vulnerability that allows attackers to execute arbitrary code remotely. This flaw, present in versions 0.15.0 to prior to 0.16.0, permits a malicious actor to craft a payload that bypasses the 'MCP test' functionality. The issue has been resolved in version 0.16.0, highlighting the importance of keeping all deployments updated.

Affected Version(s)

DocsGPT >= 0.15.0, < 0.16.0

References

https://github.com/arc53/DocsGPT/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/arc53/DocsGPT/releases/tag/0.16.0

x_refsource_MISC

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-26015 Data

JSON