What is GHSA-64vr-4gr2-m642?

GHSA-64vr-4gr2-m642 is a security advisory published by GitHub Security Advisories with High severity. automagik-genie has a command injection vulnerability

Which CVE IDs does GHSA-64vr-4gr2-m642 cover?

GHSA-64vr-4gr2-m642 covers the following CVE IDs: CVE-2026-30635. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-64vr-4gr2-m642?

GHSA-64vr-4gr2-m642 has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

Which products are affected by GHSA-64vr-4gr2-m642?

GHSA-64vr-4gr2-m642 affects 1 product, including: npm/automagik-genie:= 2.5.27.

GHSA-64vr-4gr2-m642HighCVSS 8.1

automagik-genie has a command injection vulnerability

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-30635 →

📋 Description

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE_BASE_URL.

🎯 Affected products1

npm/automagik-genie:= 2.5.27

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-30635
https://gist.github.com/spdc-elm/3ddecd10ffa85c5963ab7fe531619875
https://github.com/advisories/GHSA-64vr-4gr2-m642