CVE-2026-7600: yii2-mcp-server has a Command Injection Issue

May 2, 2026 (updated May 7, 2026)

A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/ArtMin96/yii2-mcp-server
github.com/ArtMin96/yii2-mcp-server/issues/3
github.com/BruceJqs/public_exp/issues/29
github.com/advisories/GHSA-gc8w-x73w-p4rh
nvd.nist.gov/vuln/detail/CVE-2026-7600
vuldb.com/submit/805613
vuldb.com/vuln/360557
vuldb.com/vuln/360557/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-7600 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →