Platform
nodejs
Component
@elgentos/magento2-dev-mcp
Fixed in
1.0.1
1.0.2
1.0.3
1.0.3
CVE-2026-5603 is a Command Injection vulnerability discovered in the elgentos magento2-dev-mcp package, specifically within the executeMagerun2Command function of src/index.ts. This flaw allows an attacker with local access to execute arbitrary operating system commands. The vulnerability impacts versions of elgentos magento2-dev-mcp up to 1.0.2, and a patch (aa1ffcc0aea1b212c69787391783af27df15ae9d) is available to address the issue.
Successful exploitation of CVE-2026-5603 allows an attacker to execute arbitrary commands on the system where elgentos magento2-dev-mcp is running. This can lead to complete system compromise, including data theft, modification, or deletion. Given the local access requirement, this vulnerability is most concerning in environments where developers or other privileged users have direct access to the server. The availability of a public exploit significantly increases the risk of exploitation, as attackers can readily leverage it to gain unauthorized access and control.
CVE-2026-5603 was publicly disclosed on 2026-04-06. The existence of a public proof-of-concept (PoC) indicates a high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV, and no confirmed exploitation campaigns are publicly known as of this writing. The NVD entry for this CVE is expected to be published shortly after the public disclosure.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5603 is to immediately apply the provided patch (aa1ffcc0aea1b212c69787391783af27df15ae9d). If upgrading is not immediately feasible due to compatibility issues or breaking changes, restrict local access to the server running elgentos magento2-dev-mcp. Implement strict access controls and regularly audit user permissions. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests, although this is not a complete solution due to the local access requirement. After applying the patch, verify the fix by attempting to trigger the vulnerable function with a command injection payload and confirming that it is properly sanitized.
Update the elgentos magento2-dev-mcp module to a fixed version. Apply the patch aa1ffcc0aea1b212c69787391783af27df15ae9d to mitigate the operating system (OS) command injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5603 is a Command Injection vulnerability affecting elgentos magento2-dev-mcp versions up to 1.0.2, allowing attackers to execute OS commands locally.
You are affected if you are using elgentos magento2-dev-mcp version 1.0.2 or earlier. Upgrade to the patched version to mitigate the risk.
Apply the patch aa1ffcc0aea1b212c69787391783af27df15ae9d. If immediate upgrade is not possible, restrict local access to the server.
A public proof-of-concept exists, indicating a high likelihood of exploitation. Active campaigns are not yet confirmed, but the risk is elevated.
Refer to the elgentos security advisory for detailed information and updates regarding CVE-2026-5603.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.