CVE-2026-7416
published 2026-04-29CVE-2026-7416: A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the…
PriorityP259high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
1.63%
73.2th percentile
A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| polarvista | xcode-mcp-server | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vmcc-m2xv-hrp5: A vulnerability was found in PolarVista xcode-mcp-server 1
ghsa_unreviewed·2026-04-30
CVE-2026-7416 [MEDIUM] CWE-77 GHSA-vmcc-m2xv-hrp5: A vulnerability was found in PolarVista xcode-mcp-server 1
A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
VulDB
PolarVista xcode-mcp-server 1.0.0 MCP Interface src/index.ts build_project/run_tests Request os command injection (EUVD-2026-26293)
vuldb·2026-04-29·CVSS 5.5
CVE-2026-7416 [MEDIUM] PolarVista xcode-mcp-server 1.0.0 MCP Interface src/index.ts build_project/run_tests Request os command injection (EUVD-2026-26293)
A vulnerability categorized as critical has been discovered in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection.
This vulnerability is cataloged as CVE-2026-7416. The attack may be launched remotely. Furthermore, there is an exploit available.
The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-29
Published