CVE-2026-30618
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
15/07/2026
Last modified:
16/07/2026
Description
xszyou Fay 4.3.1 contains a remote code execution vulnerability in its MCP STDIO server management and command execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and parameters, resulting in execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the Fay service.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL



