CVE-2026-6980: Divyanshu-hash GitPilot-MCP Command Injection
The National Vulnerability Database (NVD) has disclosed CVE-2026-6980, a high-severity command injection vulnerability impacting Divyanshu-hash GitPilot-MCP up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This flaw, rated 7.3 CVSS, resides in the repo_path function within main.py and allows for remote command injection through manipulation of the command argument.
This is a critical issue. The exploit has been publicly disclosed, meaning attackers can and will weaponize it. Compounding the problem, the product lacks versioning, making it impossible to identify specific affected or unaffected releases. The vendor, Divyanshu-hash, has reportedly not responded to early disclosure attempts by the NVD.
Attackers will leverage this for initial access or privilege escalation. The ability to execute arbitrary commands remotely offers a direct path to system compromise, data exfiltration, or further lateral movement within an environment. The lack of vendor response and versioning leaves defenders in a tough spot, requiring immediate action to identify and mitigate exposure.
What This Means For You
- If your organization uses Divyanshu-hash GitPilot-MCP, assume it is vulnerable. Immediately identify all instances, review the codebase for any custom patches, and consider isolating or decommissioning the application until a fix is available. Given the public exploit and lack of vendor support, this is a ticking time bomb for remote code execution.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6980: GitPilot-MCP repo_path Command Injection
title: CVE-2026-6980: GitPilot-MCP repo_path Command Injection
id: scw-2026-04-25-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-6980 in GitPilot-MCP by targeting the repo_path function. The rule looks for specific git commands being passed as the 'command' parameter within the '/repo_path' URI, indicating a potential command injection attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-25
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6980/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'command=git clone'
- 'command=git pull'
- 'command=git fetch'
cs-uri|contains:
- '/repo_path'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6980 | Command Injection | Divyanshu-hash GitPilot-MCP up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd |
| CVE-2026-6980 | Command Injection | Vulnerable function: repo_path in main.py |
| CVE-2026-6980 | Command Injection | Manipulation of argument 'command' leading to injection |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 25, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6982 — SQL Injection
CVE-2026-6982 — A vulnerability was determined in star7th ShowDoc up to 2.10.10/3.6.2/3.8.0. Affected by this vulnerability is an unknown functionality of the file server/Application/Api/Controller/PageController.class.PHP of...
CVE-2026-6981 — IhateCreatingUserNames2 AiraHub2 Server-Side Request Forgery
CVE-2026-6981 — A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connect_stream_endpoint/sync_agents of the file AiraHub.py of the component Endpoint....
CVE-2026-6979 — Devlikeapro WAHA Server-Side Request Forgery
CVE-2026-6979 — A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component...