Platform
nodejs
Component
valemcp
Fixed in
0.1.1
CVE-2026-5621 describes a Command Injection vulnerability discovered in Vale-MCP, a project developed by ChrisChinchilla. This flaw allows an attacker with local access to execute arbitrary operating system commands by manipulating the config_path argument within the HTTP Interface component (specifically, src/index.ts). The vulnerability affects versions 0.1.0 and below, and a public exploit is already available, increasing the risk of immediate exploitation.
Successful exploitation of CVE-2026-5621 allows an attacker to execute arbitrary commands on the host system with the privileges of the Vale-MCP process. This could lead to complete system compromise, including data exfiltration, installation of malware, and denial of service. Given the local access requirement, the immediate risk is highest for environments where the Vale-MCP process runs with elevated privileges or where local access controls are weak. The public availability of an exploit significantly lowers the barrier to entry for attackers.
CVE-2026-5621 was published on 2026-04-06. The vulnerability is considered to have a medium probability of exploitation due to the public availability of a proof-of-concept exploit. The vendor, ChrisChinchilla, was contacted regarding the vulnerability but did not respond. The exploit requires local access, which limits the scope of potential attackers but does not eliminate the risk entirely.
Exploit Status
EPSS
0.50% (66% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5621 is to upgrade to a patched version of Vale-MCP. As no fixed version is currently available, immediate mitigation focuses on limiting the potential impact. Implement strict input validation on the configpath argument to prevent command injection. This can be achieved by whitelisting allowed characters and paths, and by sanitizing user-provided input. Consider running the Vale-MCP process with the least privileges necessary to minimize the potential damage from a successful attack. If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters in the configpath parameter. After implementing mitigations, verify their effectiveness by attempting to trigger the vulnerability with a controlled payload.
Actualice a una versión corregida de Vale-MCP. Dado que el proveedor no ha respondido, se recomienda investigar y aplicar parches manualmente para mitigar la inyección de comandos del sistema operativo en la ruta de configuración. Considere eliminar o restringir el acceso a la funcionalidad afectada hasta que se publique una actualización oficial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5621 is a medium severity Command Injection vulnerability affecting Vale-MCP versions 0.1.0. It allows attackers with local access to execute arbitrary commands by manipulating the config_path argument.
You are affected if you are running Vale-MCP version 0.1.0. Check your version and implement mitigations immediately.
Upgrade to a patched version of Vale-MCP. As no fixed version is available, implement input validation and restrict process privileges as temporary mitigations.
A public exploit exists, indicating a potential for active exploitation. Monitor your systems for suspicious activity.
As of the publication date, no official advisory has been released by ChrisChinchilla. Monitor their project repository for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.