CVE-2026-7785

High

Published: 05 May 2026

Published

05 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0104 77.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public…

and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

Security SummaryAI

CVE-2026-7785 is an OS command injection vulnerability in the quick_capture function within the pyshark_mcp.py file of the A-G-U-P-T-A/wireshark-mcp project, specifically affecting commits edaf604416fbc94a201b4043092d4a1b09a12275 and 400c3da70074f22f3cce7ccb65304cafc7089c89. This flaw, associated with CWE-77 and CWE-78, was published on 2026-05-05 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The project operates on a rolling release model with continuous delivery, so no specific affected or patched versions are available.

The vulnerability enables remote exploitation without authentication or user interaction, allowing attackers to inject arbitrary OS commands via manipulated inputs to the quick_capture function. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability, such as unauthorized command execution on the host system running the affected component.

References, including the project's GitHub repository and issue #1, indicate that the issue was reported early to the maintainers, but they have not yet responded or issued any patches or mitigations. Additional details are available on VulDB entries for submission and vulnerability tracking. An exploit has been publicly released, increasing the risk of active attacks.

Details

CWE(s): CWE-77 CWE-78

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: mcp

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated OS command injection in public-facing app (quick_capture) directly enables T1190 for initial access and T1059 for arbitrary command execution via shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/A-G-U-P-T-A/wireshark-mcp/
cna@vuldb.com
https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1
cna@vuldb.com
https://vuldb.com/submit/807745
cna@vuldb.com
https://vuldb.com/vuln/360985
cna@vuldb.com
https://vuldb.com/vuln/360985/cti
cna@vuldb.com