Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security vulnerability has been detected in Sunwood-ai-labs command-executor-mcp-server up to 0.1.0. This impacts the function execute_command of the file src/index.ts of the component MCP Interface. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
OS command injection in Sunwood-ai-labs command-executor-mcp-server versions up to 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands via the MCP interface execute_command function. The vulnerability carries a CVSS score of 7.3 with a complete remote attack vector (AV:N/AC:L/PR:N/UI:N), enabling unauthorized data access, system modification, and service disruption. A proof-of-concept exploit has been publicly disclosed via GitHub issue #6, significantly lowering the barrier to exploitation. EPSS data not available, but public POC availability and unauthenticated remote vector indicate elevated real-world risk despite the moderate CVSS score.
Technical ContextAI
The vulnerability exists in the execute_command function within src/index.ts of the MCP (Model Context Protocol) interface implementation. Command-executor-mcp-server is a server component that provides command execution capabilities through the MCP protocol, commonly used for AI/LLM tool integration. The flaw is classified as CWE-78 (OS Command Injection), meaning user-controlled input is passed to system command execution functions without proper sanitization or validation. The MCP interface likely accepts structured command requests and executes them on the underlying operating system, but fails to neutralize special elements that could modify the intended command structure (such as shell metacharacters, command separators, or injection sequences). This architectural pattern-exposing command execution through a network interface-creates inherent risk when input validation is insufficient.
RemediationAI
No vendor-released patch identified at time of analysis-the project maintainers have not responded to the vulnerability disclosure reported via GitHub issue #6 (https://github.com/Sunwood-ai-labs/command-executor-mcp-server/issues/6). Organizations using command-executor-mcp-server should immediately implement compensating controls: (1) Remove network exposure by binding the MCP interface to localhost only or placing behind authenticated reverse proxy with strict access controls-this eliminates remote attack vector but breaks distributed AI tool integration scenarios. (2) Implement application-layer input validation using allowlists for permitted commands and arguments, rejecting any input containing shell metacharacters (;|&$`\n<>), though this risks breaking legitimate command functionality and requires comprehensive testing. (3) Deploy the service in a heavily restricted container or sandbox environment with minimal privileges, read-only filesystem mounts where possible, and no network egress-limits post-exploitation impact but adds operational complexity. (4) Monitor for project updates at https://github.com/Sunwood-ai-labs/command-executor-mcp-server/ and VulDB entry https://vuldb.com/vuln/360546 for patch releases. If command execution functionality is not critical to operations, consider migrating to alternative MCP server implementations with established security track records.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26717