| 标题 | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection |
|---|
| 描述 | The `text` parameter of the `input_text` tool provided by MCP uses the `asyncio.create_subprocess_shell` function for parse. This leads to arbitrary code execution.
# TimeLine
January 16, 2026: Vulnerability discovered
January 19, 2026: Author XixianLiang notified
January 24, 2026: Author confirms the vulnerability exists |
|---|
| 来源 | ⚠️ https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md |
|---|
| 用户 | Lexpl0it (UID 89340) |
|---|
| 提交 | 2026-01-27 07時03分 (3 月前) |
|---|
| 管理 | 2026-02-06 21時52分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 344766 [XixianLiang HarmonyOS-mcp-server 0.1.0 input_text 权限提升] |
|---|
| 积分 | 19 |
|---|