CVE-2026-7600 MEDIUM

CVE-2026-7600: ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection

Vendor Artmin96
Product yii2-mcp-server
Weakness CWE-78
Published May 2, 2026
Last update May 4, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

02Disclosure timeline

May 2, 2026 CVE published
May 4, 2026 Record updated