CVE-2026-7590
Published: 01 May 2026
Summary
CVE-2026-7590 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the dev_script argument at application entry points.
Ensures timely remediation of known software flaws such as this command injection vulnerability through identification, reporting, and patching.
Vulnerability scanning identifies command injection flaws in the Preview Endpoint component, enabling proactive mitigation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing Preview Endpoint enables remote arbitrary command execution, directly mapping to T1190 for initial access via public app exploitation and T1059 for command interpreter usage.
NVD Description
A vulnerability was identified in eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py of the component Preview Endpoint. Such manipulation of the argument dev_script leads to os command injection. The attack can…
more
be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7590 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the eyal-gor/p_69_branch_monkey_mcp project up to commit 69bc71874ce40050ef45fde5a435855f18af3373. The issue resides in an unknown function within the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py, part of the Preview Endpoint component. Attackers can exploit it by manipulating the dev_script argument, enabling arbitrary command execution on the host system. The project lacks versioning, so specific affected and unaffected releases are unavailable.
The vulnerability carries a CVSS v3.1 base score of 7.3 (High), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and unchanged scope (S:U), resulting in low impacts to confidentiality, integrity, and availability (C:I:A:L/L/L). Remote attackers can exploit it without authentication to inject and execute operating system commands, potentially leading to unauthorized access, data exfiltration, or system compromise depending on the environment.
Advisories from VulDB (vuln/360543) and the project's GitHub issue #8 indicate the vulnerability was reported early to maintainers, but they have not responded or issued patches. No mitigation guidance or fixes are available in the referenced sources, and security practitioners should review the repository at https://github.com/eyal-gor/p_69_branch_monkey_mcp for any updates.
A publicly available exploit exists, increasing the risk of active exploitation.
Details
- CWE(s)