CVE-2026-30635: automagik-genie has a command injection vulnerability

May 11, 2026 (updated May 18, 2026)

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE_BASE_URL.

References

gist.github.com/spdc-elm/3ddecd10ffa85c5963ab7fe531619875
github.com/advisories/GHSA-64vr-4gr2-m642
nvd.nist.gov/vuln/detail/CVE-2026-30635

Code Behaviors & Features

Detect and mitigate CVE-2026-30635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →