CVE-2026-7404: mcpo-simple-server has a Path Traversal issue

April 29, 2026 (updated May 6, 2026)

A weakness has been identified in getsimpletool mcpo-simple-server up to 0.2.0. Affected is the function delete_shared_prompt of the file src/mcpo_simple_server/services/prompt_manager/base_manager.py. This manipulation of the argument detail causes relative path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/advisories/GHSA-3jmq-qhg3-f58j
github.com/getsimpletool/mcpo-simple-server
github.com/getsimpletool/mcpo-simple-server/issues/4
nvd.nist.gov/vuln/detail/CVE-2026-7404
vuldb.com/submit/803612
vuldb.com/vuln/360140
vuldb.com/vuln/360140/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-7404 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →