CVE-2026-7157
Command Injection in aider_ai_code's aider_mcp_server (Remote Exploit
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| disler | aider_mcp_server | to b2516fa466d0d851932da92ee6d0e66946db9efc (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw found in the aider-mcp-server component, specifically in the file src/aider_mcp_server/server.py. It occurs due to improper handling of the argument relative_editable_files, which allows an attacker to inject and execute arbitrary commands remotely.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to execute arbitrary commands on the affected system without any authentication or user interaction. This can lead to unauthorized access, data manipulation, system compromise, and potentially further attacks within the network.