๐Ÿ” CVE Alert

CVE-2026-49988

UNKNOWN 0.0

Repomix: attach_packed_output can bypass file-read secret scanning for supported local files

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, the Repomix MCP server attach_packed_output and read_repomix_output flow can register and read arbitrary local .json, .txt, .md, or .xml files without the file_system_read_file runSecretLint() safety check or Repomix packed-output validation, allowing MCP callers to bypass the local file-read secret-scanning boundary. This issue is fixed in version 1.14.1.

CWE CWE-200
Vendor yamadashy
Product repomix
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for yamadashy repomix

Be the first to know when new unknown vulnerabilities affecting yamadashy repomix are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

yamadashy / repomix
< 1.14.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/yamadashy/repomix/security/advisories/GHSA-hwpp-h97w-2h3j github.com: https://github.com/yamadashy/repomix/commit/e447f7dba6f51fdb26bcad0c280542fca291960e github.com: https://github.com/yamadashy/repomix/releases/tag/v1.14.1