Vibe Coding
CVE-2026-5023: codebase-mcp OS Command Injection — Remote Code Execution via RepoMix Handler
The codebase-mcp package (a popular MCP server for codebase analysis) has an OS command injection vulnerability in its RepoMix Command Handler. Attackers can exploit it locally to execute arbitrary commands. This is the second codebase-analysis MCP server with an RCE in two months. Builders running codebase-mcp should audit their deployment and pin to a patched version. The pattern of RCE vulnerabilities in MCP servers that handle file paths continues to grow.
Source
↳ Follow the thread