VYPR

PyPI package

mcp-run-python

pkg:pypi/mcp-run-python

Vulnerabilities (2)

  • CVE-2026-25905MedFeb 9, 2026
    affected <= 0.0.22

    The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP

  • CVE-2026-25904MedFeb 9, 2026
    affected <= 0.0.22

    The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to re