Home / Vulnerability Intelligence / CVE-2026-30625

CVE-2026-30625 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 17, 2026

Upsonic - Remote Code Execution

Published: April 15, 2026Updated: April 17, 2026Remote Exploitable

Overview

Upsonic 0.71.6 contains a remote code execution caused by insufficient command argument validation in MCP server/task creation, letting attackers execute arbitrary OS commands with Upsonic process privileges, exploit requires crafted MCP tasks.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 31.4%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary OS commands remotely with Upsonic process privileges, potentially compromising the system.

Mitigation

Update to version 0.72.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 18, 2026

🔴 CVE-2026-30625 - Critical (9.8) Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed com... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30625/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30625
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed
EPSS: 31.4%
Social Posts: 1

CWE

CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

31.4%Probability of exploitation in the next 30 days