Cyber Posture

CVE-2026-3484

MediumPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0043 63.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function child_process.exec of the file src/index.ts of the component Nmap CLI Command Handler. The manipulation results in command injection. The attack may be performed…

more

from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The patch is identified as 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488. It is best practice to apply a patch to resolve this issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely remediation by applying the patch commit 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488 directly resolves the command injection vulnerability in the Nmap CLI Command Handler.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes inputs to the child_process.exec function in src/index.ts to block malicious command injection payloads.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the nmap-mcp-server process and authenticated users to restrict the scope and impact of any successfully injected commands.

Security SummaryAI

CVE-2026-3484 is a command injection vulnerability affecting PhialsBasement nmap-mcp-server up to commit bee6d23547d57ae02460022f7c78ac0893092e38. The issue resides in the child_process.exec function within the src/index.ts file of the Nmap CLI Command Handler component. This flaw, classified under CWE-74 and CWE-77, allows remote manipulation leading to arbitrary command execution. The product follows a rolling release model, so specific version details for affected or patched releases are not disclosed.

The vulnerability can be exploited remotely over the network with low complexity and no user interaction required, but it necessitates low privileges (PR:L) such as an authenticated user account. Successful exploitation grants limited impact across confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3. An attacker could inject malicious commands via the Nmap CLI handler, potentially leading to unauthorized system access or execution of arbitrary code within the server's context.

Mitigation involves applying the patch commit 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488, as recommended in the project's advisories. Security practitioners should update their nmap-mcp-server installations to this commit or later, given the rolling release nature of the software. Relevant details are available in the GitHub repository, patch commit, and associated issue tracker.

Details

CWE(s)
CWE-74CWE-77

Affected Products

phialsbasement
mcp nmap server
≤ 1.0.1

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: mcp

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote command injection for arbitrary command execution via a network-exposed service (T1190) using Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References