CVE-2026-49988
Repomix: attach_packed_output can bypass file-read secret scanning for supported local files
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, the Repomix MCP server attach_packed_output and read_repomix_output flow can register and read arbitrary local .json, .txt, .md, or .xml files without the file_system_read_file runSecretLint() safety check or Repomix packed-output validation, allowing MCP callers to bypass the local file-read secret-scanning boundary. This issue is fixed in version 1.14.1.
| CWE | CWE-200 |
| Vendor | yamadashy |
| Product | repomix |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for yamadashy repomix
Be the first to know when new unknown vulnerabilities affecting yamadashy repomix are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
yamadashy / repomix
< 1.14.1