CVE Catalog

CVE-2026-13489

LowCVSS 3.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

A weakness has been identified in the MCP Response Handler component of 78 xiaozhi-esp32 up to version 2.2.6, involving improper synchronization in the ParseMessage function of main/mcp_server.cc. Remote exploitation is possible but considered difficult due to high attack complexity.

Risk Assessment

The organization faces potential remote attacks that could disrupt system operations, but the risk is limited due to the high complexity and difficulty of exploitation.

Recommendation

Monitor the progress of the pending pull request for a fix and apply it immediately once available. Until then, consider restricting network access to the vulnerable component.

Original NVD description (English source)

A weakness has been identified in 78 xiaozhi-esp32 up to 2.2.6. Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler. This manipulation causes improper synchronization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS