CVE-2026-40576 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: April 21, 2026
excel-mcp-server - Path Traversal
Overview
excel-mcp-server <= 0.1.7 contains a path traversal caused by improper validation of file paths in get_excel_path() function, letting unauthenticated remote attackers read, write, and overwrite arbitrary files, exploit requires network access with default configuration.
Severity & Score
Impact
Unauthenticated remote attackers can read, write, and overwrite arbitrary files on the host, leading to full system compromise.
Mitigation
Update to version 0.1.8 or later.
Social Media Activity(2 posts)
š“ CVE-2026-40576 - Critical (9.4) excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented wa... š https://www.thehackerwire.com/vulnerability/CVE-2026-40576/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-40576 - Critical (9.4) excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented wa... š https://www.thehackerwire.com/vulnerability/CVE-2026-40576/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40576
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- path_traversal
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H