PatchSiren cyber security CVE debrief
CVE-2026-44717 611711Dark CVE debrief
CVE-2026-44717 is a critical remote code execution vulnerability in MCP Calculate Server affecting versions prior to 0.1.1. The issue stems from use of eval() to evaluate mathematical expressions without proper input sanitization, which can let an attacker execute arbitrary code on the server. The vulnerability was reported in a GitHub security advisory and fixed in 0.1.1.
- Vendor
- 611711Dark
- Product
- mcp_calculate_server
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Operators and developers running MCP Calculate Server before 0.1.1, especially any deployment that accepts untrusted or user-supplied expressions. Security teams responsible for services exposed over a network should treat this as urgent because exploitation could lead to full compromise of the host running the server.
Technical summary
The advisory describes unsafe evaluation of mathematical expressions with eval() and no adequate input sanitization. Because the service processes expressions supplied to the MCP Calculate Server, a malicious input can potentially be interpreted as executable code rather than data. NVD lists the issue with CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a CWE-94 classification, consistent with code injection leading to remote code execution. The fix is identified as version 0.1.1.
Defensive priority
Immediate. This is a network-reachable, unauthenticated code execution issue with high impact to confidentiality, integrity, and availability. Prioritize upgrade and exposure reduction ahead of routine maintenance.
Recommended defensive actions
- Upgrade MCP Calculate Server to version 0.1.1 or later immediately.
- If upgrading is not immediately possible, remove or isolate the service from untrusted network access.
- Review any deployments that accept external or tenant-provided expressions for potential abuse paths.
- Monitor the host and service for unexpected process execution or other signs of compromise.
- Validate that downstream integrations are not pinning vulnerable versions.
- Track the GitHub security advisory and NVD record for any additional guidance or updates.
Evidence notes
The primary evidence is the GitHub security advisory referenced by NVD, which states that MCP Calculate Server prior to 0.1.1 uses eval() without proper input sanitization and that the issue is fixed in 0.1.1. NVD lists the vulnerability as Deferred and includes the advisory reference, CVSS vector, and CWE-94 classification. No additional vendor data was supplied beyond the advisory link.
Official resources
-
CVE-2026-44717 CVE record
CVE.org
-
CVE-2026-44717 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE published 2026-05-15 and last modified 2026-05-18, based on the supplied CVE timeline. The underlying advisory reference was also published on 2026-05-15.