What is CVE-2026-25905?

CVE-2026-25905 is a medium-severity vulnerability, classified under CWE-653. CVSS score: 5.8/10. Published 2026-02-09.

How severe is CVE-2026-25905?

Medium severity. CVSS v3 base score is 5.8 out of 10.

CVE-2026-25905

CVE-2026-25905

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP serv…

EPSS: 0.000 (2.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L.

Weakness classification (CWE)

CWE-653

References

research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeove… (third-party-advisory)

Frequently asked questions

What is CVE-2026-25905?: CVE-2026-25905 is a medium-severity vulnerability, classified under CWE-653. CVSS score: 5.8/10. Published 2026-02-09.
How severe is CVE-2026-25905?: Medium severity. CVSS v3 base score is 5.8 out of 10.