CVE-2026-0755
published 2026-01-23CVE-2026-0755: gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.34%
87.1th percentile
gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gemini_mcp_tool | gemini-mcp-tool | — | — |
| gemini_mcp_tool | gemini-mcp-tool | >= 1.1.2 < 1.1.6 | 1.1.6 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
ghsa·2026-06-25
CVE-2026-46406 [MEDIUM] CWE-59 @anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a loc
VulDB
gemini-mcp-tool execAsync command injection (EUVD-2026-4492)
vuldb·2026-06-19·CVSS 9.8
CVE-2026-0755 [CRITICAL] gemini-mcp-tool execAsync command injection (EUVD-2026-4492)
A vulnerability described as critical has been identified in gemini-mcp-tool. The affected element is the function execAsync. Executing a manipulation can lead to command injection.
The identification of this vulnerability is CVE-2026-0755. The attack may be launched remotely. There is no exploit available.
GHSA
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
ghsa·2026-06-18·CVSS 9.8
CVE-2026-0755 [CRITICAL] CWE-78 gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
Untrusted prompt input could reach the Gemini CLI @file parser, allowing read/exfiltration of arbitrary local files (@/etc/passwd, @~/.ssh/id_rsa, @../../secret). On Windows, unquoted cmd.exe metacharacters could break out into OS command injection.
Fix (1.1.6): removed the broken shell:false double-quote wrapping; added assertSafeFileReferences() to contain @file refs to the working directory; hardened Windows cmd.exe argument quoting.
GHSA
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root
ghsa·2026-05-06
CVE-2026-42549 [MEDIUM] CWE-22 Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root
### Summary
The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed — including directories located outside the project root through `../` traversal.
### Affected code
`flight/commands/ControllerCommand.php` (≈ 63-66):
```php
if (is_dir(dirname($controllerPath)) === false) {
$io->info('Creating directory ' . dirname($controllerPath), true);
mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before valid
GHSA
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
ghsa·2026-04-22
CVE-2026-35353 [LOW] CWE-367 uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.
GHSA
GHSA-28qq-5f47-r5x2: gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability
ghsa_unreviewed·2026-01-23
CVE-2026-0755 [CRITICAL] CWE-78 GHSA-28qq-5f47-r5x2: gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability
gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783.
GHSA
Duplicate Advisory: gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
ghsa·2026-01-23·CVSS 9.8
CVE-2026-0755 [CRITICAL] CWE-78 Duplicate Advisory: gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
Duplicate Advisory: gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4h5r-5jm8-jxjm. This link is maintained to preserve external references.
### Original Description
gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage
Red Hat
@anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
vendor_redhat·2026-06-29·CVSS 6.1
CVE-2026-46406 [MEDIUM] CWE-59 @anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
@anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file w
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-46406 @anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-46406 [MEDIUM] CVE-2026-46406 @anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
CVE-2026-46406 @anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacke
Bugzilla
CVE-2026-35353 rust-coreutils: mkdir: permission exposure race condition with -m
bugzilla·2026-04-22·CVSS 3.3
CVE-2026-35353 [LOW] CVE-2026-35353 rust-coreutils: mkdir: permission exposure race condition with -m
CVE-2026-35353 rust-coreutils: mkdir: permission exposure race condition with -m
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.
2026-01-23
Published