CVE-2026-2178
published 2026-02-08CVE-2026-2178: A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.95%
85.5th percentile
A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| r-huijts | xcode-mcp-server | — | — |
| r-huijts | xcode-mcp-server | 0 – 1.0.3 | — |
| r-huijts | xcode_mcp_server | <= 2025-08-26 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
xcode-mcp-server vulnerable to Command Injection
osv·2026-02-08
CVE-2026-2178 [LOW] xcode-mcp-server vulnerable to Command Injection
xcode-mcp-server vulnerable to Command Injection
A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue.
GHSA
xcode-mcp-server vulnerable to Command Injection
ghsa·2026-02-08
CVE-2026-2178 [LOW] CWE-74 xcode-mcp-server vulnerable to Command Injection
xcode-mcp-server vulnerable to Command Injection
A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2178 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-2178 [MEDIUM] CVE-2026-2178 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2178 :
JavaScript vulnerability analysis and mitigation
A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue.
Source : NVD
## 5.3
Score
Published February 8, 2026
Severity
Bugzilla
CVE-2026-43437 kernel: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
bugzilla·2026-05-08
CVE-2026-43437 [MEDIUM] CVE-2026-43437 kernel: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
CVE-2026-43437 kernel: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.
A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree
https://github.com/r-huijts/xcode-mcp-server/https://github.com/r-huijts/xcode-mcp-server/commit/11f8d6bacadd153beee649f92a78a9dad761f56fhttps://github.com/r-huijts/xcode-mcp-server/issues/13https://github.com/r-huijts/xcode-mcp-server/issues/13#issue-3878065790https://vuldb.com/?ctiid.344881https://vuldb.com/?id.344881https://vuldb.com/?submit.749569
2026-02-08
Published