Submit #747209: GitHub HarmonyOS-mcp-server v0.1.0 Command Injection
| Titel | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection |
|---|---|
| Beschreibung | The `text` parameter of the `input_text` tool provided by MCP uses the `asyncio.create_subprocess_shell` function for parse. This leads to arbitrary code execution. # TimeLine January 16, 2026: Vulnerability discovered January 19, 2026: Author XixianLiang notified January 24, 2026: Author confirms the vulnerability exists |
| Quelle | ⚠️ https:/ |
| Benutzer | Lexpl0it (UID 89340) |
| Einreichung | 27.01.2026 07:03 (vor 3 Monaten) |
| Moderieren | 06.02.2026 21:52 (11 days later) |
| Status | Akzeptiert |
| VulDB Eintrag | 344766 [XixianLiang HarmonyOS-mcp-server 0.1.0 input_text erweiterte Rechte] |
| Punkte | 19 |