CVE-2026-15751 in mastergo-magic-mcpinfo

Summary

by MITRE • 07/15/2026

A security vulnerability has been detected in mastergo-design mastergo-magic-mcp up to 0.2.0. The affected element is the function execute of the file mastergo/component-workflow.md of the component mcp__getComponentGenerator. The manipulation of the argument rootPath leads to path traversal. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability resides within the mastergo-design mastergo-magic-mcp component version 0.2.0 or earlier, specifically targeting the execute function located in mastergo/component-workflow.md. The flaw manifests as a path traversal vulnerability that occurs when the rootPath argument is manipulated by an attacker, allowing unauthorized access to files and directories outside the intended scope. The vulnerability requires local execution privileges for exploitation, meaning an attacker must already have access to the system or application environment to leverage this weakness. This represents a significant security concern as it provides potential attackers with the ability to navigate beyond the designated file system boundaries and potentially access sensitive data or system resources.

The technical implementation of this vulnerability falls under CWE-23 Path Traversal, which occurs when an application fails to properly sanitize user-supplied input before using it in file operations. In this case, the rootPath parameter appears to be directly used in file system operations without adequate validation or sanitization measures. The attack vector is particularly concerning because it allows for arbitrary file system access through manipulation of the path traversal component, potentially enabling attackers to read confidential files, modify system components, or even execute unauthorized code within the application's context.

The operational impact of this vulnerability extends beyond simple data access, as it can enable attackers with local privileges to escalate their access and potentially compromise the entire system. The fact that this exploit has been publicly disclosed increases the risk significantly, as malicious actors can readily implement the attack without requiring advanced technical skills or extensive reconnaissance. Given that the project maintainers were informed through an issue report but have not responded, there is a critical gap in vulnerability management where the security community's efforts to notify the developers have been ignored, leaving users exposed to potential exploitation.

Organizations using this component should immediately implement mitigations including input validation and sanitization of all path parameters, implementing proper access controls and privilege restrictions on file system operations, and considering the use of secure coding practices that prevent path traversal vulnerabilities through techniques like canonicalizing paths or using restricted directory access patterns. The ATT&CK framework categorizes this as a Path Traversal technique under the T1083 discovery tactic, which can lead to further exploitation opportunities including privilege escalation and information gathering. Additionally, implementing proper application sandboxing and ensuring that the component runs with minimal required privileges can significantly reduce the potential impact of such vulnerabilities. Regular security audits and proactive vulnerability management processes should be established to ensure timely response to security issues and prevent similar vulnerabilities from persisting in the codebase.

Responsible

VulDB

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!