CVE-2026-6130

Sažetak

A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Reference

https://github.com/chatboxai/chatbox/
https://github.com/chatboxai/chatbox/issues/3627
https://github.com/chatboxai/chatbox/issues/3627#issue-4193060116
https://vuldb.com/submit/795355
https://vuldb.com/vuln/356993
https://vuldb.com/vuln/356993/cti

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

13-04-2026 - 15:01

Objavljeno

12-04-2026 - 22:16