216.73.217.22

CVE-2026-5029

· Published 12/05/2026 10:16 · Modified 12/05/2026 14:15

Labels: CVE-2026-5029 2026-05-12CVE-2026-5029CWE-306[email protected]

Essential information

Published
12/05/2026 10:16
Modified
12/05/2026 14:15
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
code runner / code runner mcp server cpe:2.3:a:code_runner:code_runner_mcp_server:*:*:*:*:*:*:*:*

References