๐Ÿ” CVE Alert

CVE-2026-15522

MEDIUM 5.3

tugcantopaloglu godot-mcp run_project index.js validatePath path traversal

CVSS Score
5.3
EPSS Score
0.1%
EPSS Percentile
4th

A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.

CWE CWE-22
Vendor tugcantopaloglu
Product godot-mcp
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for tugcantopaloglu godot-mcp

Be the first to know when new medium vulnerabilities affecting tugcantopaloglu godot-mcp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

tugcantopaloglu / godot-mcp
2.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vuldb.com: https://vuldb.com/vuln/377851 vuldb.com: https://vuldb.com/vuln/377851/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15522 vuldb.com: https://vuldb.com/submit/854523 github.com: https://github.com/tugcantopaloglu/godot-mcp/issues/9 github.com: https://github.com/tugcantopaloglu/godot-mcp/commit/eb63add552aa4bd9205395cf91b40654654a3cf2 github.com: https://github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0 github.com: https://github.com/tugcantopaloglu/godot-mcp/

Credits

๐Ÿ” Mcfly_Zhang (VulDB User)