CVE-2026-16133
A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts
CVSS
5.0
Medio
EPSS
—
KEV
—
Exploit Today
—
0-100
Publicado: 18 jul 2026 · Última mod.: 18 jul 2026 · CWE-74 · CWE-77
Sin historial EPSS suficiente todavía.
A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
- gist.github.comhttps://gist.github.com/menelausx/b42381d2788a334cba8cda43f52e2a28
- github.comhttps://github.com/LiuMengxuan04/MiniCode/
- github.comhttps://github.com/LiuMengxuan04/MiniCode/issues/35
- github.comhttps://github.com/LiuMengxuan04/MiniCode/pull/37
- vuldb.comhttps://vuldb.com/cve/CVE-2026-16133
- vuldb.comhttps://vuldb.com/submit/856976
- vuldb.comhttps://vuldb.com/vuln/379853
- vuldb.comhttps://vuldb.com/vuln/379853/cti
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-422718.8 ALT99.6%
KEV—80BerriAI LiteLLM Command Injection Vulnerability5dCVE-2023-349609.8 CRÍ99.9%
——30A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.11dCVE-2023-376799.8 CRÍ99.9%
——30A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.11dCVE-2026-222007.5 ALT99.4%
——30Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.5dCVE-2026-80379.6 CRÍ98.6%
——30OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints6dCVE-2022-457018.8 ALT98.6%
——30Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.11d