| शीर्षक | ArtMin96 yii2-mcp-server 1.0.2 Command Injection |
|---|
| विवरण | A command injection vulnerability (CWE-78) has been identified in yii2-mcp-server version 1.0.2, specifically within the yii_command_help and yii_execute_command MCP tools. The server constructs shell command strings by concatenating user‑supplied arguments (e.g., command and args) directly into a php yii command line and executes them via child_process.exec without proper escaping or argument‑vector separation. An attacker with network access to the MCP interface can inject shell metacharacters (e.g., ; id) to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| स्रोत | ⚠️ https://github.com/ArtMin96/yii2-mcp-server/issues/3 |
|---|
| उपयोगकर्ता | _Eternity_ (UID 97332) |
|---|
| सबमिशन | 15/04/2026 10:48 AM (2 महीनों पहले) |
|---|
| संयम | 01/05/2026 12:49 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360557 [ArtMin96 yii2-mcp-server 1.0.2 MCP Interface src/index.ts yii_command_help/yii_execute_command अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|