CVE-2026-7785
Deferred Deferred - Pending Action
Command Injection in Wireshark MCP Tool

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: VulDB

Description
A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7785
EUVD
EUVD-2026-27159
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
a-g-u-p-t-a wireshark-mcp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7785 is a command injection vulnerability found in the quick_capture function of the wireshark-mcp project. The flaw occurs because the function uses subprocess.Popen with shell=True, allowing an attacker to inject and execute arbitrary operating system commands by crafting malicious interface parameters containing shell metacharacters.

This vulnerability arises from improper sanitization and validation of user input passed directly to shell commands, enabling attackers to break out of the intended command context and execute unauthorized commands on the server.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of OS commands on the server running the wireshark-mcp service. An attacker could expose sensitive data, modify files or configurations, or disrupt system availability.

  • Exposure of sensitive data
  • Modification or deletion of files and configurations
  • Disruption of system availability or denial of service

The attack can be launched remotely by invoking the quick_capture tool with malicious parameters, making it a significant risk if the MCP service is exposed to untrusted clients or environments.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious invocations of the quick_capture tool with interface parameters containing shell metacharacters or unexpected payloads.

Specifically, detection involves checking for command executions where user input is passed unsanitized to shell commands, such as interface names including characters like ";" or other shell control characters.

You can inspect running processes or command histories for suspicious quick_capture invocations, for example by using commands like:

  • ps aux | grep quick_capture
  • grep -E 'quick_capture.*[";|&]' /var/log/syslog /var/log/auth.log
  • auditctl -w /path/to/pyshark_mcp.py -p x -k quick_capture_exec

Additionally, network traffic analysis tools like Wireshark or the MCP server itself can be used to detect unusual requests invoking quick_capture with suspicious interface parameters.

Compliance Impact

The vulnerability allows remote OS command injection via the quick_capture function, potentially leading to unauthorized command execution, exposure of sensitive data, modification of files or configurations, and disruption of system availability.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Mitigations such as restricting service exposure, running with least privilege, and validating inputs are important to maintain compliance and reduce risk.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using the quick_capture tool until a fix is available.
  • Restrict access to the MCP service to trusted clients only.
  • Run the MCP service with least privilege and apply sandboxing controls to limit the impact of potential exploitation.
  • Disable or remove the quick_capture functionality in untrusted environments.
  • Validate and whitelist network interface parameters to prevent shell metacharacter injection.
  • Avoid using subprocess calls with shell=True; instead, construct commands as argument lists without shell invocation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart