CVE-2026-10278 | A vulnerability was determined in ishayoyo excel-mcp up to 1… | CVSS 6.3 MEDIUM

Description

A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read_file/write_file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Metadata

CVE ID: CVE-2026-10278
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-05-31 16:10 UTC
Published: 2026-06-01 17:30 UTC
Last updated: 2026-06-02 12:46 UTC
Primary CWE: CWE-22
Path Traversal
Vendor / Product: ishayoyo / excel-mcp
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
ishayoyo	excel-mcp	—	1.0.0, 1.0.1, 1.0.2

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	Path Traversal

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.5	N/D	2.0	cna	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.3	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (6)

VDB-367571 | ishayoyo excel-mcp read_file/write_file index.ts path traversal https://vuldb.com/vuln/367571
VDB-367571 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/367571/cti
CVE-2026-10278 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-10278
Submit #825418 | ishayoyo excel-mcp 1.0.2 Path Traversal https://vuldb.com/submit/825418
https://github.com/ishayoyo/excel-mcp/issues/6
https://github.com/ishayoyo/excel-mcp/