{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7216", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-27T15:21:32.806Z", "datePublished": "2026-04-28T02:15:11.482Z", "dateUpdated": "2026-04-28T14:32:46.612Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T02:15:11.482Z"}, "title": "donchelo processing-claude-mcp-bridge create_sketch Tool processing_server.py path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "donchelo", "product": "processing-claude-mcp-bridge", "versions": [{"version": "e017b20a4b592a45531a6392f494007f04e661bd", "status": "affected"}], "modules": ["create_sketch Tool"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-27T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-27T17:26:37.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "CPT_Penner (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359816", "name": "VDB-359816 | donchelo processing-claude-mcp-bridge create_sketch Tool processing_server.py path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359816/cti", "name": "VDB-359816 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802090", "name": "Submit #802090 | donchelo processing-claude-mcp-bridge e017b20a4b592a45531a6392f494007f04e661bd Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://github.com/donchelo/processing-claude-mcp-bridge/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/donchelo/processing-claude-mcp-bridge/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:32:32.610956Z", "id": "CVE-2026-7216", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:32:46.612Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7216", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-27T15:21:32.806Z", "datePublished": "2026-04-28T02:15:11.482Z", "dateUpdated": "2026-04-28T14:32:46.612Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T02:15:11.482Z"}, "title": "donchelo processing-claude-mcp-bridge create_sketch Tool processing_server.py path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "donchelo", "product": "processing-claude-mcp-bridge", "versions": [{"version": "e017b20a4b592a45531a6392f494007f04e661bd", "status": "affected"}], "modules": ["create_sketch Tool"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-27T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-27T17:26:37.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "CPT_Penner (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359816", "name": "VDB-359816 | donchelo processing-claude-mcp-bridge create_sketch Tool processing_server.py path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359816/cti", "name": "VDB-359816 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802090", "name": "Submit #802090 | donchelo processing-claude-mcp-bridge e017b20a4b592a45531a6392f494007f04e661bd Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://github.com/donchelo/processing-claude-mcp-bridge/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/donchelo/processing-claude-mcp-bridge/", "tags": ["product"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7216", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:32:32.610956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:32:43.067Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-7216", "lastModified": "2026-04-28T03:16:04.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-28T03:16:04.600", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/donchelo/processing-claude-mcp-bridge/"}, {"source": "cna@vuldb.com", "url": "https://github.com/donchelo/processing-claude-mcp-bridge/issues/1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/802090"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359816"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359816/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "e017b20a4b592a45531a6392f494007f04e661bd"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "processing-claude-mcp-bridge", "source": "cna", "vendor": "donchelo"}, "product": "processing-claude-mcp-bridge", "vendor": "donchelo"}], "analysis": {"en": {"generated_at": "2026-04-28T12:31:50.130608+00:00", "value": {"mitigation_remediation": ["Apply the latest release of donchelo processing\u2011claude\u2011mcp\u2011bridge that resolves the path traversal issue as soon as it becomes available.", "If a patch is not yet released, remove external access to the create_sketch endpoint or otherwise restrict the input of sketch_name to trusted directories.", "Enforce strict file system permissions on the sketch directory to prevent arbitrary writes, enable audit logging to detect unusual file operations, and monitor logs for attempted path traversal."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects donchelo's processing\u2011claude\u2011mcp\u2011bridge component. Affected versions include any release up to the commit e017b20a4b592a45531a6392f494007f04e661bd. The project uses a rolling release model, so version details for newer releases are not provided. The flaw resides in the processing_server.py module of the create_sketch Tool, which is part of the public repository at https://github.com/donchelo/processing-claude-mcp-bridge.", "description_and_impact": "A path traversal flaw exists in the create_sketch Tool of processing_server.py. The flaw occurs when the sketch_name argument is manipulated, allowing an attacker to reference arbitrary file paths. This weakness, identified as CWE\u201122, enables malicious users to read or potentially modify files beyond the intended sketch directory, and the description notes that remote exploitation of the attack is possible, which can lead to remote code execution if the attacker can write executable files or modify configuration files.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. The description states that the exploit has been made available to the public and that remote exploitation is possible, so the risk of attack is significant, especially if the create_sketch endpoint is exposed to untrusted users."}}}}, "created": "2026-04-28T09:16:29.090382+00:00", "updated": "2026-04-28T12:45:31.383290+00:00", "vendors": ["donchelo", "donchelo$PRODUCT$processing-claude-mcp-bridge"]}