| tiêu đề | Braffolk mcp-summarization-functions 0.1.5 Command Injection |
|---|
| Mô tả | A command injection vulnerability (CWE-78) has been identified in mcp-summarization-functions, specifically within the mcp-server.ts component. An attacker with network access to the MCP/HTTP interface can supply maliciously crafted input through the command argument of the summarize_command tool, which flows unsanitized into OS command execution via execa. This allows arbitrary system commands to be executed with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and potential service disruption. Versions up to and including 0.1.5 are confirmed affected. |
|---|
| Nguồn | ⚠️ https://github.com/wing3e/public_exp/issues/26 |
|---|
| Người dùng | BruceJin (UID 96538) |
|---|
| Đệ trình | 22/03/2026 13:45 (cách đây 24 ngày) |
|---|
| Kiểm duyệt | 05/04/2026 17:57 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 355409 [Braffolk mcp-summarization-functions đến 0.1.5 summarize_command src/server/mcp-server.ts nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|