CVE-2026-7590
Published: 01 May 2026
Summary
CVE-2026-7590 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability identified as CVE-2026-7590 affects the Preview Endpoint component in the eyal-gor p_69_branch_monkey_mcp project up to commit 69bc71874ce40050ef45fde5a435855f18af3373. Specifically, an unknown function in branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py allows OS command injection through manipulation of the dev_script argument, corresponding to CWE-77 and CWE-78. The product does not use versioning, so affected release details are unavailable, and the project received early notification via an issue report without subsequent response.
Remote attackers can exploit the flaw without requiring authentication or user interaction, enabling execution of arbitrary operating system commands with limited impact on confidentiality, integrity, and availability as reflected in the CVSS 5.5 score. A publicly available exploit increases the practical risk for any deployments of this component.
The listed references point to the project's GitHub repository, an associated issue tracker entry, and Vuldb records, but contain no details on official patches or mitigations. The EPSS score remains low with negligible movement between its current value of 0.0212 and peak of 0.0218.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26708
Vulnerability details
A vulnerability was identified in eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py of the component Preview Endpoint. Such manipulation of the argument dev_script leads to os command injection. The attack can…
more
be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing Preview Endpoint enables remote arbitrary command execution, directly mapping to T1190 for initial access via public app exploitation and T1059 for command interpreter usage.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the dev_script argument at application entry points.
Ensures timely remediation of known software flaws such as this command injection vulnerability through identification, reporting, and patching.
Vulnerability scanning identifies command injection flaws in the Preview Endpoint component, enabling proactive mitigation before exploitation.