CVE-2026-5603
Received Received - Intake
OS Command Injection in elgentos magento2-dev-mcp executeMagerun2Command

Publication date: 2026-04-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5603
EUVD
EUVD-2026-19136
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elgentos magento2-dev-mcp to 1.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should apply the patch named aa1ffcc0aea1b212c69787391783af27df15ae9d.

Since the attack requires local access, restricting local access to trusted users can also help reduce risk.

Executive Summary

This vulnerability exists in the elgentos magento2-dev-mcp software up to version 1.0.2, specifically in the function executeMagerun2Command within the file src/index.ts.

It allows an attacker to perform OS command injection, meaning they can execute arbitrary operating system commands through this function.

The attack requires local access to the system, and an exploit for this vulnerability is publicly available.

A patch identified by the commit aa1ffcc0aea1b212c69787391783af27df15ae9d should be applied to fix this issue.

Impact Analysis

This vulnerability can allow an attacker with local access to execute arbitrary operating system commands on the affected system.

Such command injection can lead to unauthorized actions, potentially compromising the integrity, confidentiality, and availability of the system.

Because the exploit is publicly available, the risk of exploitation is higher if the system is not patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart