CVE-2026-7785: Wireshark-MCP OS Command Injection Hits High Severity

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycommand-injectioncwe-77cwe-78
CVE-2026-7785: Wireshark-MCP OS Command Injection Hits High Severity

The National Vulnerability Database has disclosed CVE-2026-7785, a high-severity OS command injection vulnerability in the A-G-U-P-T-A wireshark-mcp project (specific commit edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89). This flaw resides in the quick_capture function within pyshark_mcp.py, allowing remote attackers to execute arbitrary operating system commands.

The CVSSv3.1 score of 7.3 (HIGH) underscores the significant risk, with the attack vector being network-based and requiring no privileges or user interaction. The National Vulnerability Database also notes that an exploit has been publicly released, drastically increasing the immediate threat. Compounding the issue, the project operates on a rolling release model, meaning no specific affected or patched versions are listed, making tracking remediation challenging.

Critically, the project maintainers were notified of this issue but have yet to respond. This lack of communication and patching in the face of a public exploit and remote command injection capability is a red flag. Defenders should assume this vulnerability is actively being targeted and take immediate steps to mitigate the risk.

What This Means For You

  • If your organization utilizes A-G-U-P-T-A wireshark-mcp, you are exposed to remote OS command injection via CVE-2026-7785. Given the public exploit and lack of vendor response, you must immediately identify all instances of this software. Isolate or remove it from production environments until a patch or workaround is available. Do not wait for an official fix; this is a critical, actively exploitable vulnerability.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2026-7785: Wireshark-MCP OS Command Injection via quick_capture

Sigma YAML — free preview 
title: CVE-2026-7785: Wireshark-MCP OS Command Injection via quick_capture
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the quick_capture function within pyshark_mcp.py by a python interpreter, which is the vulnerable component in CVE-2026-7785. This indicates a potential OS command injection attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7785/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'python.exe'
      CommandLine|contains:
          - 'pyshark_mcp.py'
          - 'quick_capture'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7785 Command Injection A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89
CVE-2026-7785 Command Injection Vulnerable function: quick_capture in pyshark_mcp.py
CVE-2026-7785 Command Injection Attack vector: Remote

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44029 — Path Traversal

CVE-2026-44029 — An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory...

vulnerabilityCVEmedium-severitypath-traversalcwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-44028: Nix/Lix Unbounded Recursion Leads to RCE as Root

CVE-2026-44028 — An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to...

vulnerabilityCVEhigh-severitycode-executioncwe-674
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma

Axle-Bucamp MCP-Docusaurus Path Traversal (CVE-2026-7788) Public Exploit

CVE-2026-7788 — A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py....

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma