CVE-2025-9654

6.3 MEDIUM
Published: August 29, 2025 Modified: April 15, 2026
View on NVD

Description

A security flaw has been discovered in AiondaDotCom mcp-ssh up to 1.0.3. Affected by this issue is some unknown functionality of the file server-simple.mjs. Performing manipulation results in command injection. The attack can be initiated remotely. Upgrading to version 1.0.4 and 1.1.0 can resolve this issue. The patch is named cd2566a948b696501abfa6c6b03462cac5fb43d8. It is advisable to upgrade the affected component.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/AiondaDotCom/mcp-ssh/commit/5b9b9c5b28d3f2672f356a790154ed68e17ef453
Source: cna@vuldb.com
https://github.com/AiondaDotCom/mcp-ssh/commit/cd2566a948b696501abfa6c6b03462cac5fb43d8
Source: cna@vuldb.com
https://vuldb.com/?ctiid.321862
Source: cna@vuldb.com
https://vuldb.com/?id.321862
Source: cna@vuldb.com
https://vuldb.com/?submit.637028
Source: cna@vuldb.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.3 / 10.0
EPSS (Exploit Probability)
0.4%
64th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-74 CWE-77

Related CVEs

CVE-2026-6951 9.8
CVE-2026-6175 N/A
CVE-2026-42171 7.8
CVE-2026-41488 3.1
CVE-2026-41481 6.5