CVE-2026-7446: VetCoders mcp-server-semgrep OS Command Injection

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycommand-injectioncwe-77cwe-78
CVE-2026-7446: VetCoders mcp-server-semgrep OS Command Injection

The National Vulnerability Database (NVD) has disclosed CVE-2026-7446, a high-severity OS command injection vulnerability in VetCoders mcp-server-semgrep version 1.0.0. This critical flaw resides within the MCP Interface component, specifically affecting functions like analyze_results, filter_results, export_results, compare_results, scan_directory, and create_rule in the src/index.ts file.

Attackers can exploit this by manipulating the ID argument, leading to remote operating system command injection. The NVD warns that an exploit for this vulnerability is now public, significantly increasing the immediate risk for unpatched systems. This isn’t theoretical; it’s a direct path to system compromise.

With a CVSS score of 7.3 (HIGH) and a vector indicating network-based attacks requiring no privileges or user interaction, this vulnerability is easily exploitable. The NVD recommends upgrading to version 1.0.1, which includes patch 141335da044e53c3f5b315e0386e01238405b771, to mitigate the issue.

What This Means For You

  • If your organization uses VetCoders mcp-server-semgrep 1.0.0, you are directly exposed to remote OS command injection. This isn't a theoretical risk; public exploits are out there. Patch to version 1.0.1 immediately. Failure to do so means an attacker could execute arbitrary commands on your server, leading to data exfiltration, service disruption, or full system takeover.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7446: VetCoders mcp-server-semgrep OS Command Injection via ID parameter

Sigma YAML — free preview 
title: CVE-2026-7446: VetCoders mcp-server-semgrep OS Command Injection via ID parameter
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
  Detects exploitation attempts against CVE-2026-7446 in VetCoders mcp-server-semgrep. The vulnerability allows OS command injection when the 'ID' parameter is manipulated in specific API endpoints. This rule looks for requests targeting these endpoints with the 'id=' parameter, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7446/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/analyze_results'
          - '/filter_results'
          - '/export_results'
          - '/compare_results'
          - '/scan_directory'
          - '/create_rule'
      cs-uri-query|contains:
          - 'id=' 
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7446 Command Injection VetCoders mcp-server-semgrep version 1.0.0
CVE-2026-7446 Command Injection Vulnerable functions: analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule in src/index.ts
CVE-2026-7446 Command Injection Manipulation of argument ID in MCP Interface component
CVE-2026-7446 Command Injection Upgrade to VetCoders mcp-server-semgrep version 1.0.1 or apply patch 141335da044e53c3f5b315e0386e01238405b771

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 30, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7468: Improper Access Control Flaw in 1024-lab smart-admin

CVE-2026-7468 — A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the...

vulnerabilityCVEhigh-severityimproper-access-controlcwe-266cwe-284
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7447 — SourceCodester Pet Grooming Management Software SQL Injection

CVE-2026-7447 — A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file /admin/update_customer.php. This manipulation...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7445 — ZachHandley ZMCPTools Path Traversal

CVE-2026-7445 — A security vulnerability has been detected in ZachHandley ZMCPTools up to 0.2.2. Affected by this issue is some unknown functionality of the file...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma