Home / Vulnerability Intelligence / CVE-2026-30625

CVE-2026-30625 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 16, 2026

Upsonic - Remote Code Execution

Published: April 15, 2026Updated: April 16, 2026Remote Exploitable

Overview

Upsonic 0.71.6 contains a remote code execution caused by insufficient command argument validation in MCP server/task creation, letting attackers execute arbitrary OS commands with Upsonic process privileges, exploit requires crafted MCP tasks.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary OS commands remotely with Upsonic process privileges, potentially compromising the system.

Mitigation

Update to version 0.72.0 or later.

References

https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305
https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-30625
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: new

CWE

CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H