Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote authenticated command injection in r-huijts mcp-server-rijksmuseum up to version 1.0.4 allows attackers with login credentials to execute arbitrary OS commands via manipulation of the imageUrl argument in the open_image_in_browser function. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure.
Technical ContextAI
The mcp-server-rijksmuseum application is an MCP (Model Context Protocol) interface that integrates with the Rijksmuseum API. The vulnerability exists in the open_image_in_browser function within src/index.ts, which processes user-supplied imageUrl parameters without proper sanitization before passing them to OS-level command execution. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates the root cause is inadequate input validation and output encoding when constructing or executing system commands. The attack vector is network-based, suggesting the vulnerable function is accessible through remote MCP protocol interactions, requiring an authenticated session.
RemediationAI
Upgrade mcp-server-rijksmuseum to a patched version above 1.0.4 if available; check the project repository at https://github.com/r-huijts/rijksmuseum-mcp for updates. If no patched release is available, implement input validation and sanitization for the imageUrl parameter by employing strict URL parsing (allowlist only valid Rijksmuseum image domains), using parameterized command execution instead of shell concatenation, and escaping any special characters before OS command invocation. Additionally, restrict access to the MCP server to trusted networks using network segmentation or firewall rules, and enforce strong authentication credentials to reduce the likelihood of credential compromise. Monitor for suspicious image URL parameters in application logs for signs of exploitation attempts.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26800