CVE Catalog

CVE-2026-26015

Critical
Published: Translated: NVD NIST

Summary

DocsGPT, a GPT-powered chat for documentation, has a vulnerability in versions from 0.15.0 to before 0.16.0 that allows an attacker to achieve remote code execution (RCE) via a malicious payload bypassing the 'MCP test'. This issue has been patched in version 0.16.0.

Risk Assessment

This vulnerability could lead to serious consequences, including unauthorized access to organizational systems and data. An attacker could exploit this vulnerability to execute arbitrary code remotely.

Recommendation

It is recommended to update DocsGPT to version 0.16.0 or later to mitigate this vulnerability. A security audit of existing deployments should also be conducted.

Original NVD description (English source)

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS