CVE-2026-26015
CRITICAL WAF: High
CVSS 9.8
Published: 2026-04-29
CWE-77
DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| arc53 | docsgpt | 0.15.0 |
References
- github.com (Release Notes)
- github.com (Exploit, Vendor Advisory)
- www.ox.security
- www.ox.security