CVE-2026-15522
tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
CVSS Score
5.3
EPSS Score
0.1%
EPSS Percentile
4th
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.
| CWE | CWE-22 |
| Vendor | tugcantopaloglu |
| Product | godot-mcp |
| Published | Jul 13, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for tugcantopaloglu godot-mcp
Be the first to know when new medium vulnerabilities affecting tugcantopaloglu godot-mcp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
tugcantopaloglu / godot-mcp
2.0.0
References
vuldb.com: https://vuldb.com/vuln/377851 vuldb.com: https://vuldb.com/vuln/377851/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15522 vuldb.com: https://vuldb.com/submit/854523 github.com: https://github.com/tugcantopaloglu/godot-mcp/issues/9 github.com: https://github.com/tugcantopaloglu/godot-mcp/commit/eb63add552aa4bd9205395cf91b40654654a3cf2 github.com: https://github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0 github.com: https://github.com/tugcantopaloglu/godot-mcp/
Credits
๐ Mcfly_Zhang (VulDB User)