[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-61462":6},{"stargazers_count":4,"fetched_at":5},7,"2026-07-13T20:29:37.599Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":269,"aliases":270,"duplicate_of":9,"upstream":271,"downstream":272,"duplicates":273,"related":274,"reserved_at":9,"published_at":275,"modified_at":276,"state":277,"summary":278,"references_raw":285,"kevs":306,"epss":9,"epss_history":307,"metrics":308,"affected":318},"CVE-2026-61462","mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted job_id values like ../../../user to escape the intended path prefix and access arbitrary GitLab API resources using the operator's personal access token.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-73","External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.","weakness","Draft","Base","High",[20,204,245,249,253,257,261,265],{"id":21,"name":22,"techniques":23},"CAPEC-13","Subverting Environment Variable Values",[24,122,164],{"id":25,"name":26,"tactics":27,"countermeasures":34},"T1562.003","Impair Command History Logging",[28,31],{"id":29,"name":30},"TA0030","Defense Evasion",{"id":32,"name":33},"TA0005","Stealth",[35,40,45,49,53,57,62,66,71,76,80,84,89,93,98,102,106,110,114,118],{"id":36,"name":37,"tactic":38},"D3-CI","Configuration Inventory",{"name":39},"Model",{"id":41,"name":42,"tactic":43},"D3-FA","File Analysis",{"name":44},"Detect",{"id":46,"name":47,"tactic":48},"D3-FIM","File Integrity Monitoring",{"name":44},{"id":50,"name":51,"tactic":52},"D3-DA","Dynamic Analysis",{"name":44},{"id":54,"name":55,"tactic":56},"D3-EFA","Emulated File Analysis",{"name":44},{"id":58,"name":59,"tactic":60},"D3-FEV","File Eviction",{"name":61},"Evict",{"id":63,"name":64,"tactic":65},"D3-RKD","Registry Key Deletion",{"name":61},{"id":67,"name":68,"tactic":69},"D3-DF","Decoy File",{"name":70},"Deceive",{"id":72,"name":73,"tactic":74},"D3-DRA","Disable Remote Access",{"name":75},"Harden",{"id":77,"name":78,"tactic":79},"D3-ACH","Application Configuration Hardening",{"name":75},{"id":81,"name":82,"tactic":83},"D3-FE","File Encryption",{"name":75},{"id":85,"name":86,"tactic":87},"D3-RC","Restore Configuration",{"name":88},"Restore",{"id":90,"name":91,"tactic":92},"D3-RF","Restore File",{"name":88},{"id":94,"name":95,"tactic":96},"D3-CQ","Content Quarantine",{"name":97},"Isolate",{"id":99,"name":100,"tactic":101},"D3-CF","Content Filtering",{"name":97},{"id":103,"name":104,"tactic":105},"D3-LFP","Local File Permissions",{"name":97},{"id":107,"name":108,"tactic":109},"D3-RFAM","Remote File Access Mediation",{"name":97},{"id":111,"name":112,"tactic":113},"D3-CM","Content Modification",{"name":97},{"id":115,"name":116,"tactic":117},"D3-EAL","Executable Allowlisting",{"name":97},{"id":119,"name":120,"tactic":121},"D3-EDL","Executable Denylisting",{"name":97},{"id":123,"name":124,"tactics":125,"countermeasures":137},"T1574.006","Dynamic Linker Hijacking",[126,129,132,133,134],{"id":127,"name":128},"TA0110","Persistence",{"id":130,"name":131},"TA0111","Privilege Escalation",{"id":29,"name":30},{"id":32,"name":33},{"id":135,"name":136},"TA0104","Execution",[138,142,144,146,148,150,152,154,156,158,160,162],{"id":139,"name":140,"tactic":141},"D3-SFA","System File Analysis",{"name":44},{"id":41,"name":42,"tactic":143},{"name":44},{"id":46,"name":47,"tactic":145},{"name":44},{"id":58,"name":59,"tactic":147},{"name":61},{"id":67,"name":68,"tactic":149},{"name":70},{"id":81,"name":82,"tactic":151},{"name":75},{"id":90,"name":91,"tactic":153},{"name":88},{"id":99,"name":100,"tactic":155},{"name":97},{"id":103,"name":104,"tactic":157},{"name":97},{"id":107,"name":108,"tactic":159},{"name":97},{"id":94,"name":95,"tactic":161},{"name":97},{"id":111,"name":112,"tactic":163},{"name":97},{"id":165,"name":166,"tactics":167,"countermeasures":173},"T1574.007","Path Interception by PATH Environment Variable",[168,169,170,171,172],{"id":127,"name":128},{"id":130,"name":131},{"id":29,"name":30},{"id":32,"name":33},{"id":135,"name":136},[174,176,178,180,182,184,186,188,190,192,194,196,198,200,202],{"id":41,"name":42,"tactic":175},{"name":44},{"id":46,"name":47,"tactic":177},{"name":44},{"id":50,"name":51,"tactic":179},{"name":44},{"id":54,"name":55,"tactic":181},{"name":44},{"id":58,"name":59,"tactic":183},{"name":61},{"id":67,"name":68,"tactic":185},{"name":70},{"id":81,"name":82,"tactic":187},{"name":75},{"id":90,"name":91,"tactic":189},{"name":88},{"id":99,"name":100,"tactic":191},{"name":97},{"id":103,"name":104,"tactic":193},{"name":97},{"id":107,"name":108,"tactic":195},{"name":97},{"id":94,"name":95,"tactic":197},{"name":97},{"id":111,"name":112,"tactic":199},{"name":97},{"id":115,"name":116,"tactic":201},{"name":97},{"id":119,"name":120,"tactic":203},{"name":97},{"id":205,"name":206,"techniques":207},"CAPEC-267","Leverage Alternate Encoding",[208],{"id":209,"name":210,"tactics":211,"countermeasures":214},"T1027","Obfuscated Files or Information",[212,213],{"id":29,"name":30},{"id":32,"name":33},[215,217,219,221,223,225,227,229,231,233,235,237,239,241,243],{"id":41,"name":42,"tactic":216},{"name":44},{"id":46,"name":47,"tactic":218},{"name":44},{"id":50,"name":51,"tactic":220},{"name":44},{"id":54,"name":55,"tactic":222},{"name":44},{"id":58,"name":59,"tactic":224},{"name":61},{"id":67,"name":68,"tactic":226},{"name":70},{"id":81,"name":82,"tactic":228},{"name":75},{"id":90,"name":91,"tactic":230},{"name":88},{"id":99,"name":100,"tactic":232},{"name":97},{"id":103,"name":104,"tactic":234},{"name":97},{"id":107,"name":108,"tactic":236},{"name":97},{"id":94,"name":95,"tactic":238},{"name":97},{"id":111,"name":112,"tactic":240},{"name":97},{"id":115,"name":116,"tactic":242},{"name":97},{"id":119,"name":120,"tactic":244},{"name":97},{"id":246,"name":247,"techniques":248},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":250,"name":251,"techniques":252},"CAPEC-72","URL Encoding",[],{"id":254,"name":255,"techniques":256},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":258,"name":259,"techniques":260},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":262,"name":263,"techniques":264},"CAPEC-79","Using Slashes in Alternate Encoding",[],{"id":266,"name":267,"techniques":268},"CAPEC-80","Using UTF-8 Encoding to Bypass Validation Logic",[],[],[],[],[],[],[],"2026-07-13T17:17:26.026Z","2026-07-13T18:49:55.717Z","PUBLISHED",{"cisa_kev":279,"cisa_ransomware":279,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":280,"severity_score":281,"severity_version":282,"severity_source":283,"severity_vector":284,"severity_status":277},false,"critical",9.2,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",[286,291,296,301],{"url":287,"sources":288,"tags":289},"https://github.com/zereight/gitlab-mcp/issues/587",[283],[290],"Issue Tracking",{"url":292,"sources":293,"tags":294},"https://github.com/zereight/gitlab-mcp",[283],[295],"Product",{"url":297,"sources":298,"tags":299},"https://github.com/zereight/gitlab-mcp/commit/e2a81a047ab8750fa5bfa1763b5d85e5616f3994",[283],[300],"Patch",{"url":302,"sources":303,"tags":304},"https://www.vulncheck.com/advisories/mcp-gitlab-path-traversal-via-job-id-parameter",[283],[305],"Third Party Advisory",[],[],[309],{"source":283,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":310,"cvss_v4_0":316},{"baseScore":311,"baseSeverity":312,"vectorString":313,"impactScore":314,"exploitabilityScore":315},8.6,"HIGH","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",6.7,10,{"baseScore":281,"baseSeverity":317,"vectorString":284,"impactScore":9,"exploitabilityScore":9},"CRITICAL",[319],{"ecosystem":9,"name":320,"vendor":321,"product":320,"cpe_part":322,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":323},"mcp-gitlab","zereight","a",[324],{"version":325,"is_range":326,"range_type":283,"version_start":9,"version_start_type":9,"version_end":327,"version_end_type":328,"fixed_in":9},"\u003C 2.1.18",true,"2.1.18","excluding"]