HIGH SeverityCVSS 4.08.5CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

CVE-2026-7039

Last updated Apr 26, 2026 · Published Apr 26, 2026

Description

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

1 listed

tufantunc:ssh-mcp

Mappings

CWE

CWE-74CWE-77

CAPEC

None listed.

Research

Command injection: how it works and how to prevent itCommand injection happens when untrusted input reaches a shell or process spawn. Avoid the shell, pass…

Training

Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.