CVE-2026-7588
Received Received - Intake
Path Traversal in coding-standards-mcp via Language Parameter

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: VulDB

Description
A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7588
EUVD
EUVD-2026-26704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ggerve coding-standards-mcp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ggerve coding-standards-mcp project, specifically in the function get_style_guide/get_best_practices within the file server.py. The issue arises from improper handling of the Language argument, which allows an attacker to perform a path traversal attack. This means an attacker can manipulate the input to access files or directories outside the intended scope on the server.

The attack can be launched remotely, and the exploit has already been made public.

Impact Analysis

This vulnerability can allow an attacker to access unauthorized files on the server by exploiting the path traversal flaw. This could lead to exposure of sensitive information or configuration files that should not be accessible, potentially compromising the security of the system.

Compliance Impact

The vulnerability allows unauthorized reading of certain files outside the intended directory, which poses a medium confidentiality risk. This could potentially lead to exposure of sensitive information if such files contain personal or protected data.

However, there is no direct information provided about the impact on compliance with specific standards or regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by analyzing calls to the functions get_style_guide and get_best_practices in the coding-standards-mcp server, specifically looking for manipulation of the Language argument that leads to path traversal.

Detection can involve reviewing logs or monitoring requests that include suspicious path traversal patterns such as sequences like "../../../../" in the Language parameter.

Since the vulnerability involves reading files with suffixes like _style_guide.md or _best_practices.md outside the intended directory, commands or scripts that scan for such access patterns or unexpected file reads could help detect exploitation attempts.

Static code analysis or source code audit tools can be used to detect the vulnerable code usage.

Specific commands are not provided in the resources, but monitoring network traffic for requests to the vulnerable functions with suspicious Language parameters or scanning server logs for path traversal patterns is recommended.

Mitigation Strategies

Immediate mitigation steps include restricting the Language input parameter to a fixed allowlist of known safe values.

Another important step is to validate the resolved file path after input processing to ensure it does not traverse outside the intended templates directory.

Replacing free-form Language input with an enumeration of known template names can prevent arbitrary path traversal.

Since the project uses rolling releases and no fixed version details are available, applying these mitigations in the source code or configuration is critical until an official patch or update is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart