Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by tugcantopaloglu
CVE-2026-15522 (GCVE-0-2026-15522)
Vulnerability from nvd – Published: 2026-07-13 01:45 – Updated: 2026-07-13 15:19 X_Open Source
VLAI
EPSS
VEX
Title
tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
Summary
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377851 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377851/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15522 | third-party-advisory |
| https://vuldb.com/submit/854523 | third-party-advisory |
| https://github.com/tugcantopaloglu/godot-mcp/issues/9 | exploitissue-tracking |
| https://github.com/tugcantopaloglu/godot-mcp/comm… | patch |
| https://github.com/tugcantopaloglu/godot-mcp/rele… | patch |
| https://github.com/tugcantopaloglu/godot-mcp/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tugcantopaloglu | godot-mcp |
Affected:
2.0.0
Unaffected: 3.0.0 cpe:2.3:a:tugcantopaloglu:godot-mcp:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T15:19:12.769707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T15:19:28.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tugcantopaloglu:godot-mcp:*:*:*:*:*:*:*:*"
],
"modules": [
"run_project"
],
"product": "godot-mcp",
"vendor": "tugcantopaloglu",
"versions": [
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "unaffected",
"version": "3.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mcfly_Zhang (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T01:45:11.320Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377851 | tugcantopaloglu godot-mcp run_project index.js validatePath path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377851"
},
{
"name": "VDB-377851 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377851/cti"
},
{
"name": "CVE-2026-15522 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15522"
},
{
"name": "Submit #854523 | tugcantopaloglu godot-mcp 2.0.0 Path Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/854523"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/issues/9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/commit/eb63add552aa4bd9205395cf91b40654654a3cf2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0"
},
{
"tags": [
"product"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-12T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-12T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-12T13:42:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "tugcantopaloglu godot-mcp run_project index.js validatePath path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15522",
"datePublished": "2026-07-13T01:45:11.320Z",
"dateReserved": "2026-07-12T11:36:50.421Z",
"dateUpdated": "2026-07-13T15:19:28.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15522 (GCVE-0-2026-15522)
Vulnerability from cvelistv5 – Published: 2026-07-13 01:45 – Updated: 2026-07-13 15:19 X_Open Source
VLAI
EPSS
VEX
Title
tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
Summary
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377851 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377851/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15522 | third-party-advisory |
| https://vuldb.com/submit/854523 | third-party-advisory |
| https://github.com/tugcantopaloglu/godot-mcp/issues/9 | exploitissue-tracking |
| https://github.com/tugcantopaloglu/godot-mcp/comm… | patch |
| https://github.com/tugcantopaloglu/godot-mcp/rele… | patch |
| https://github.com/tugcantopaloglu/godot-mcp/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tugcantopaloglu | godot-mcp |
Affected:
2.0.0
Unaffected: 3.0.0 cpe:2.3:a:tugcantopaloglu:godot-mcp:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T15:19:12.769707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T15:19:28.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tugcantopaloglu:godot-mcp:*:*:*:*:*:*:*:*"
],
"modules": [
"run_project"
],
"product": "godot-mcp",
"vendor": "tugcantopaloglu",
"versions": [
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "unaffected",
"version": "3.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mcfly_Zhang (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T01:45:11.320Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377851 | tugcantopaloglu godot-mcp run_project index.js validatePath path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377851"
},
{
"name": "VDB-377851 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377851/cti"
},
{
"name": "CVE-2026-15522 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15522"
},
{
"name": "Submit #854523 | tugcantopaloglu godot-mcp 2.0.0 Path Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/854523"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/issues/9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/commit/eb63add552aa4bd9205395cf91b40654654a3cf2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0"
},
{
"tags": [
"product"
],
"url": "https://github.com/tugcantopaloglu/godot-mcp/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-12T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-12T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-12T13:42:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "tugcantopaloglu godot-mcp run_project index.js validatePath path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15522",
"datePublished": "2026-07-13T01:45:11.320Z",
"dateReserved": "2026-07-12T11:36:50.421Z",
"dateUpdated": "2026-07-13T15:19:28.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}