top of page
perceptive_background_267k.jpg

A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/se…

Published:

27 April 2026 at 22:00:00

Alert date:

28 April 2026 at 09:01:04

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

A path traversal vulnerability (CVE-2026-7237) was discovered in AgiFlow scaffold-mcp versions up to 1.0.27. The vulnerability affects the write-to-file Tool component in the packages/scaffold-mcp/src/server/index.ts file, where manipulation of the file_path argument leads to path traversal attacks. The vulnerability can be exploited remotely and the exploit code is publicly available. Users should upgrade to version 1.1.0 which contains the security patch identified as commit c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6.

Technical details

Mitigation steps:

Affected products:

AgiFlow scaffold-mcp

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-7237
https://github.com/AgiFlow/aicode-toolkit/commit/c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6
https://github.com/AgiFlow/aicode-toolkit/issues/88
https://github.com/AgiFlow/aicode-toolkit/pull/89
https://github.com/AgiFlow/aicode-toolkit/releases/tag/%40agiflowai/aicode-toolkit%401.1.0
https://vuldb.com/submit/802836
https://vuldb.com/vuln/359845
https://vuldb.com/vuln/359845/cti

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page