Command Injection Vulnerability in Aider-MCP by Eiliyaabedini
CVE-2026-7316

6.9MEDIUM

Key Information:

Vendor

Eiliyaabedini

Status
Aider-mcp
Vendor
CVE Published:
28 April 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-7316?

Aider-MCP, developed by Eiliyaabedini, contains a command injection vulnerability within its 'aider_mcp.py' file, specifically when manipulating the 'working_dir/editable_files' argument. This flaw allows attackers to remotely execute arbitrary commands on the server. The ongoing rolling release model means that specific version identifiers for affected updates are not always clear. Despite early notification to the developers, no response has yet been issued regarding the vulnerability. Addressing this issue is critical to ensure the security and reliability of the software.

Affected Version(s)

aider-mcp 667b914301aada695aab0e46d1fb3a7d5e32c8af

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7316 - Proof of Concept

References

https://vuldb.com/vuln/359964
vdb-entrytechnical-description
https://vuldb.com/vuln/359964/cti
signaturepermissions-required
https://vuldb.com/submit/803082
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LittleW (VulDB User)
VulDB CNA Team
.