Perceptive Security
SOC/SIEM Consultancy
A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/se…
Published:
27 April 2026 at 22:00:00
Alert date:
28 April 2026 at 21:20:20
Source:
nvd.nist.gov
Supply Chain & Dependencies, Web Technologies
A path traversal vulnerability (CVE-2026-7237) was discovered in AgiFlow scaffold-mcp versions up to 1.0.27. The vulnerability affects the write-to-file Tool component in the file packages/scaffold-mcp/src/server/index.ts. Attackers can manipulate the file_path argument to perform path traversal attacks remotely. The exploit is publicly available and can be actively used. The vulnerability has been patched in version 1.1.0 with commit c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6. Users are strongly advised to upgrade to the fixed version immediately.
Technical details
Mitigation steps:
Affected products:
AgiFlow scaffold-mcp
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-7237
https://github.com/AgiFlow/aicode-toolkit/commit/c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6
https://github.com/AgiFlow/aicode-toolkit/issues/88
https://github.com/AgiFlow/aicode-toolkit/pull/89
https://github.com/AgiFlow/aicode-toolkit/releases/tag/%40agiflowai/aicode-toolkit%401.1.0
https://vuldb.com/submit/802836
https://vuldb.com/vuln/359845
https://vuldb.com/vuln/359845/cti
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.