CVE-2026-3680
Received Received - Intake
Remote Command Injection in RyuzakiShinji Biome-MCP-Server

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 335e1727147efeef011f1ff8b05dd751d8a660be. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3680
EUVD
EUVD-2026-10195
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ryuzakishinji biome-mcp-server to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw found in the RyuzakiShinji biome-mcp-server up to version 1.0.0. It involves an unknown functionality in the file biome-mcp-server.ts where an attacker can perform a manipulation that results in command injection. This means that an attacker can remotely execute arbitrary commands on the affected system.

The vulnerability can be exploited remotely, and the exploit code has already been made public. The recommended way to fix this issue is to apply the provided patch identified by the hash 335e1727147efeef011f1ff8b05dd751d8a660be.

Impact Analysis

This vulnerability can allow an attacker to remotely execute arbitrary commands on your system running the affected biome-mcp-server software. This could lead to unauthorized control over the system, potentially allowing the attacker to steal data, disrupt services, or use the system as a foothold for further attacks.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The recommended action to fix this issue is to apply the patch named 335e1727147efeef011f1ff8b05dd751d8a660be.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3680. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart