GHSA-p3h2-2j4p-p83g: MCPHub has Path Traversal via Malicious MCPB Manifest Name

April 22, 2026 (updated May 5, 2026)

Vulnerability Type: Path Traversal (CWE-22)
Sink Location: src/controllers/mcpbController.ts:107
Vulnerability Description: The name field from an uploaded MCPB manifest is used directly, without sanitization or normalization, to construct a file system path for directory creation and move operations, which may lead to path traversal attacks.

References

github.com/advisories/GHSA-p3h2-2j4p-p83g
github.com/samanhappy/mcphub
github.com/samanhappy/mcphub/commit/af5b013c09bb0add6b7ad9aaa5b875cf150d2a7c
github.com/samanhappy/mcphub/security/advisories/GHSA-p3h2-2j4p-p83g

Code Behaviors & Features

Detect and mitigate GHSA-p3h2-2j4p-p83g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →