CVE-2026-16133
Received Received - Intake

Command Injection in LiuMengxuan04 MiniCode

Vulnerability report for CVE-2026-16133, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
liumengxuan04 minicode 0.1.0
liumengxuan04 minicode From 0.1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw in LiuMengxuan04 MiniCode 0.1.0. It involves the function child_process.spawn in the file mcp.ts, where a manipulation can lead to arbitrary command execution. The attack is remote, requires high complexity, and is difficult to exploit. A proof-of-concept has been published, and a fix is pending acceptance.

Detection Guidance

Check for suspicious .mcp.json files in project directories. Inspect MiniCode logs for unexpected command executions. Use network monitoring tools to detect outbound connections to unknown servers. Examine environment variables for unauthorized modifications.

Impact Analysis

An attacker could place a malicious .mcp.json file in a project. When you open the project in MiniCode, commands in this file execute automatically via child_process.spawn without user interaction. This could lead to arbitrary code execution, data exfiltration, or credential theft if sensitive environment variables are exposed.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection principles and HIPAA's security requirements. Organizations using MiniCode may face compliance breaches if sensitive data is compromised due to the lack of proper access controls.

Mitigation Strategies
  • Update MiniCode to the latest version with the security patch applied.
  • Set MINI_CODE_TRUST_PROJECT_MCP=0 to disable automatic execution of project MCP files.
  • Review and remove any untrusted .mcp.json files in your repositories.
  • Monitor for unusual command executions or network activity from MiniCode processes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart