CVE-2026-7629
Deferred Deferred - Pending Action
Command Injection in Kleneway Awesome-Cursor-MPC-Server

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7629
EUVD
EUVD-2026-26791
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kleneway awesome_cursor_mpc_server to 2.0.1 (inc)
kleneway awesome_cursor_mpc_server to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7629 is a command injection vulnerability found in the awesome-cursor-mpc-server project, specifically in the code-review tool's runCodeReviewTool function within the file src/tools/codeReview.ts. The vulnerability arises because the code uses Node.js's execSync() function unsafely by directly concatenating a user-controlled folderPath parameter into shell commands without proper sanitization. This allows an attacker to inject arbitrary shell commands by including shell metacharacters in the folderPath input.

The vulnerability can be exploited remotely and enables attackers to execute arbitrary commands on the server hosting the MCP service. This can lead to unauthorized actions such as creating files or launching applications. The root cause is the unsafe handling of user input in shell command execution, and the recommended fix involves replacing execSync() with execFileSync() and passing arguments as an array to prevent shell interpretation.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the server running the awesome-cursor-mpc-server. As a result, attackers could gain unauthorized access to the system, modify or delete data, create new files, or run malicious applications.

Such unauthorized command execution can compromise the integrity, confidentiality, and availability of the affected system, potentially leading to data theft, system disruption, or further exploitation within the network.

Detection Guidance

This vulnerability can be detected by checking for the presence of unsafe command execution patterns in the code-review tool, specifically the use of Node.js's execSync() function with unsanitized user input such as the folderPath parameter.

You can look for suspicious command injection attempts by monitoring logs for unusual shell metacharacters (;, &, |) in parameters passed to the code-review tool.

To detect exploitation attempts on your system, you might run commands to search for usage of execSync with user input in the source code, for example:

  • grep -r "execSync" ./src/tools/codeReview.ts
  • grep -r folderPath ./src/tools/codeReview.ts

Additionally, monitoring for unexpected file creations or executions (e.g., creation of files or launching unexpected applications like calculator) triggered by the code-review tool could indicate exploitation.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable version (up to 2.0.1) of the awesome-cursor-mpc-server code-review tool until a fix is applied.

If you maintain the code, replace the unsafe execSync() calls that interpolate user input with safer alternatives like execFileSync(), passing user inputs as separate arguments to prevent shell interpretation.

Implement strict input validation and sanitization on the folderPath parameter to ensure no shell metacharacters can be injected.

Monitor for updates or patches from the project repository and apply them once available.

As a temporary workaround, restrict access to the vulnerable service to trusted users or networks to reduce the risk of remote exploitation.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-7629 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7629. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart