Command Injection Vulnerability in egtai gmx-vmd-mcp Product
CVE-2026-7215

6.9MEDIUM

Key Information:

Vendor: Egtai
Status: Gmx-vmd-mcp
Vendor: CVE Published:; 28 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7215?

A security flaw in the egtai gmx-vmd-mcp product allows for command injection via the VMD Launch Handler. Specifically, the vulnerability is located in the launch_vmd_gui_tool function of the mcp_server.py file. Attackers can manipulate the structure_file and trajectory_file arguments, which could facilitate unauthorized command execution. This vulnerability can be exploited remotely, potentially putting users at risk. The issue was reported to the project maintainers; however, there has been no official response or patch addressing the problem.

Affected Version(s)

gmx-vmd-mcp 0.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7215 - Proof of Concept

References

https://vuldb.com/vuln/359815

vdb-entrytechnical-description

https://vuldb.com/vuln/359815/cti

signaturepermissions-required

https://vuldb.com/submit/802087

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 28, 2026
👾
Exploit known to exist
Apr 28, 2026
Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

SmallW (VulDB User)

VulDB CNA Team

CVE-2026-7215 Data

JSON

Egtai