Perceptive Security
SOC/SIEM Consultancy
A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/se…
Published:
27 april 2026 om 22:00:00
Alert date:
28 april 2026 om 09:01:04
Source:
nvd.nist.gov
Supply Chain & Dependencies, Web Technologies
A path traversal vulnerability (CVE-2026-7237) was discovered in AgiFlow scaffold-mcp versions up to 1.0.27. The vulnerability affects the write-to-file Tool component in the packages/scaffold-mcp/src/server/index.ts file, where manipulation of the file_path argument leads to path traversal attacks. The vulnerability can be exploited remotely and the exploit code is publicly available. Users should upgrade to version 1.1.0 which contains the security patch identified as commit c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6.
Technical details
Mitigation steps:
Affected products:
AgiFlow scaffold-mcp
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-7237
https://github.com/AgiFlow/aicode-toolkit/commit/c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6
https://github.com/AgiFlow/aicode-toolkit/issues/88
https://github.com/AgiFlow/aicode-toolkit/pull/89
https://github.com/AgiFlow/aicode-toolkit/releases/tag/%40agiflowai/aicode-toolkit%401.1.0
https://vuldb.com/submit/802836
https://vuldb.com/vuln/359845
https://vuldb.com/vuln/359845/cti
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.