CVE-2026-13489
LowCVSS 3.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A weakness has been identified in the MCP Response Handler component of 78 xiaozhi-esp32 up to version 2.2.6, involving improper synchronization in the ParseMessage function of main/mcp_server.cc. Remote exploitation is possible but considered difficult due to high attack complexity.
Risk Assessment
The organization faces potential remote attacks that could disrupt system operations, but the risk is limited due to the high complexity and difficulty of exploitation.
Recommendation
Monitor the progress of the pending pull request for a fix and apply it immediately once available. Until then, consider restricting network access to the vulnerable component.
Original NVD description (English source)
A weakness has been identified in 78 xiaozhi-esp32 up to 2.2.6. Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler. This manipulation causes improper synchronization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

