Path Traversal Vulnerability in ezequiroga MCP Bases Product
CVE-2026-7384

6.9MEDIUM

Key Information:

Vendor: Ezequiroga
Status: Mcp-bases
Vendor: CVE Published:; 29 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7384?

A path traversal vulnerability has been identified in the ezequiroga MCP Bases product, particularly in the 'search_papers' function of the research_server.py file. This vulnerability allows an attacker to manipulate the 'topic' argument, potentially leading to unauthorized access to files on the server. Remote exploitation is feasible, raising significant security concerns for deployments of this product. Despite the reporting of this issue, there has been no acknowledgment or response from the project's maintainers, making it critical for users to be aware of this risk.

Affected Version(s)

mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39

mcp-bases c630b8ab0f970614d42da8e566e9c0d15a16414c

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7384 - Proof of Concept

References

https://vuldb.com/vuln/360106

vdb-entrytechnical-description

https://vuldb.com/vuln/360106/cti

signaturepermissions-required

https://vuldb.com/submit/803095

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 29, 2026
👾
Exploit known to exist
Apr 29, 2026
Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

LittleW (VulDB User)

VulDB CNA Team

CVE-2026-7384 Data

JSON

Ezequiroga