CVE-2026-4496
CWE-77Published: March 20, 2026· Updated: Mar 24, 2026
Official Description
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Technical Analysis
CVE-2026-4496 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
News & Research Mentioning CVE-2026-4496
Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution. Tracked as CVE-2026-44963, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in a Tuesday advisory. It [xlite_meta score:50 src:The Hacker News xlite_fp:2e451a40c0e71946faead4c8e07392251a35d52083d11a9df9d13d5358d2fc60]
All References (7)
Quick Facts
Related CVEs (CWE-77)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-4496 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts