Vulnerabilities ›

CVE-2026-5603

Medium

CWE-77 — Weakness Type

                    Published: Apr 5, 2026                      ·  Modified: Apr 8, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue.

🤖 AI Executive Summary

CVE-2026-5603 is an OS command injection vulnerability in elgentos magento2-dev-mcp versions up to 1.0.2 affecting the executeMagerun2Command function. The vulnerability requires local access and has a publicly available exploit, necessitating immediate patching.

📄 Description (Arabic)

يؤثر هذا الضعف على مكتبة elgentos magento2-dev-mcp حتى الإصدار 1.0.2 ويسمح بحقن أوامر نظام التشغيل عبر دالة executeMagerun2Command. يتطلب الاستغلال وصولاً محلياً وتتوفر نسخة استغلال عامة للجمهور.

🤖 ملخص تنفيذي (AI)

A command injection flaw exists in elgentos magento2-dev-mcp up to version 1.0.2 in the executeMagerun2Command function. Local attackers can exploit this vulnerability using publicly available exploits to execute arbitrary OS commands.

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 02:39

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

banking telecom government

🎯 MITRE ATT&CK Techniques

T1059.004 T1059.007

⚖️ Saudi Risk Score (AI)

5.0

/ 10.0

🔧 Remediation Steps (English)

Update elgentos magento2-dev-mcp to version 1.0.3 or later, or apply patch aa1ffcc0aea1b212c69787391783af27df15ae9d. Restrict local access to development environments and implement input validation for command parameters.

🔧 خطوات المعالجة (العربية)

قم بتحديث elgentos magento2-dev-mcp إلى الإصدار 1.0.3 أو أحدث، أو طبق التصحيح aa1ffcc0aea1b212c69787391783af27df15ae9d. قيد الوصول المحلي إلى بيئات التطوير وطبق التحقق من صحة المدخلات لمعاملات الأوامر.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 A.14.2.5

🔵 SAMA CSF

CC-6.1 CC-6.2

🟡 ISO 27001:2022

A.12.2.1 A.14.2.1

🔗 References & Sources 8

🔗

https://github.com/elgentos/magento2-dev-mcp/

cna@vuldb.com

🔗

https://github.com/elgentos/magento2-dev-mcp/commit/aa1ffcc0aea1b212c69787391783af27df1...

cna@vuldb.com

🔗

https://github.com/elgentos/magento2-dev-mcp/issues/4

cna@vuldb.com

🔗

https://github.com/elgentos/magento2-dev-mcp/pull/5

cna@vuldb.com

🔗

https://github.com/user-attachments/files/25895777/magento2-dev-mcp_bug.pdf

cna@vuldb.com

🔗

https://vuldb.com/submit/784864

cna@vuldb.com

🔗

https://vuldb.com/vuln/355395

cna@vuldb.com

🔗

https://vuldb.com/vuln/355395/cti

cna@vuldb.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-77

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-04-05

Source Feed nvd

🇸🇦 Saudi Risk Score

5.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-77

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-5603

Introduce Yourself

Sign In Required