Plataforma
nodejs
Componente
mcp-vegalite-server
Corregido en
16.0.1
CVE-2026-1977 describes a code injection vulnerability discovered in the isaacwasserman mcp-vegalite-server component. This flaw allows remote attackers to inject arbitrary code by manipulating the vegalitespecification argument within the eval function of the visualizedata component. The vulnerability affects versions of mcp-vegalite-server up to commit hash 16aefed598b8cd897b78e99b907f6e2984572c61. Due to the project's rolling release system, a specific fixed version is not yet available.
Successful exploitation of CVE-2026-1977 enables an attacker to execute arbitrary code on the server hosting the mcp-vegalite-server component. This could lead to complete system compromise, including data exfiltration, denial of service, and further malicious activity. The ability to inject code remotely significantly expands the attack surface, potentially impacting any user or system interacting with the vulnerable server. Given the code injection nature, the blast radius could extend to other services or data accessible from the compromised server, depending on the server's configuration and permissions.
CVE-2026-1977 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high likelihood of exploitation. The vulnerability was published on 2026-02-06. It is not currently listed on CISA KEV, and an EPSS score is pending evaluation. Active campaigns targeting this vulnerability are currently unknown, but the public availability of a PoC suggests potential for opportunistic exploitation.
Organizations utilizing mcp-vegalite-server in production environments, particularly those with exposed endpoints or lacking robust input validation, are at significant risk. Systems with older, unpatched versions of Node.js running mcp-vegalite-server are especially vulnerable. Shared hosting environments where multiple users share the same server instance could also be impacted if one user's instance is compromised.
• nodejs / server:
ps aux | grep mcp-vegalite-server• nodejs / server:
journalctl -u mcp-vegalite-server -f | grep -i "eval"• generic web:
curl -I http://your-server/vegalite/data | grep -i "Content-Type"disclosure
Estado del Exploit
EPSS
0.06% (17% percentil)
CISA SSVC
Vector CVSS
Due to the rolling release nature of mcp-vegalite-server, a specific patched version is not yet available. The project recommends closely monitoring their release channels for updates. As a temporary workaround, implement strict input validation on the vegalite_specification argument to sanitize any potentially malicious code. Consider deploying a Web Application Firewall (WAF) with rules to detect and block code injection attempts targeting the eval function. Regularly review and update server configurations to minimize potential attack vectors and limit the privileges of the mcp-vegalite-server process. After applying any mitigations, verify their effectiveness by attempting to reproduce the vulnerability with a safe test payload.
Actualice el paquete mcp-vegalite-server a una versión corregida. Desafortunadamente, no hay una versión específica corregida disponible, por lo que se recomienda buscar una versión actualizada o contactar al mantenedor del proyecto para obtener una solución.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1977 is a medium severity code injection vulnerability affecting mcp-vegalite-server versions up to 16aefed598b8cd897b78e99b907f6e2984572c61. It allows remote attackers to inject code via the vegalite_specification argument.
If you are using mcp-vegalite-server versions prior to the rolling release update, you are potentially affected. Check your commit hash against the affected range (≤16aefed598b8cd897b78e99b907f6e2984572c61).
Due to the rolling release system, a specific fixed version is not yet available. Monitor the project's release channels for updates and implement input validation as a temporary mitigation.
A public proof-of-concept exploit is available, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the isaacwasserman project's official release notes and communication channels for updates regarding CVE-2026-1977.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.