Command Injection Vulnerability in Sunwood-ai-labs Command-Executor MCP Server
CVE-2026-7593

6.9MEDIUM

Key Information:

Vendor

Sunwood-ai-labs

Status
Command-executor-mcp-server
Vendor
CVE Published:
1 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-7593?

A security vulnerability has been identified in the Sunwood-ai-labs command-executor-mcp-server, specifically in version 0.1.0 and earlier. This flaw resides in the execute_command function located in src/index.ts of the MCP Interface component. The vulnerability allows for potential OS command injection, posing a risk for remote exploitation. This issue was disclosed publicly, enabling malicious actors to leverage the exploit. Although the project was notified of the vulnerability early via an issue report, no response has been recorded from the development team.

Affected Version(s)

command-executor-mcp-server 0.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7593 - Proof of Concept

References

https://vuldb.com/vuln/360546
vdb-entrytechnical-description
https://vuldb.com/vuln/360546/cti
signaturepermissions-required
https://vuldb.com/submit/805507
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

_Eternity_ (VulDB User)
VulDB CNA Team
.