Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability has been found in AvinashBole quip-mcp-server 1.0.0. Affected by this vulnerability is the function setupToolHandlers of the file src/index.ts. Such manipulation leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote command injection in Quip MCP Server 1.0.0 allows authenticated attackers to execute arbitrary system commands through the setupToolHandlers function in src/index.ts. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. The attack requires valid credentials but can be performed over the network with no user interaction needed.
Technical ContextAI
The vulnerability is a command injection flaw (CWE-77: Improper Neutralization of Special Elements used in a Command) in the quip-mcp-server application, which appears to be an MCP (Model Context Protocol) server implementation. The affected code path is the setupToolHandlers function in src/index.ts, which likely constructs and executes system commands without proper input sanitization. The CPE identifier (cpe:2.3:a:avinashbole:quip-mcp-server:*:*:*:*:*:*:*:*) indicates this affects the quip-mcp-server application across all versions, with confirmed impact on version 1.0.0. MCP servers often interact with external systems or execute tool handlers that may invoke shell commands, creating a natural attack surface if user-supplied input is incorporated into command construction without escaping.
RemediationAI
Immediate Actions: (1) If using quip-mcp-server 1.0.0, evaluate whether the application handles untrusted user input in the setupToolHandlers function; (2) Restrict network access to the MCP server to trusted internal networks only; (3) Implement authentication and authorization controls to limit who can interact with tool handlers. Patch Status: No official patch version is currently available from the vendor. Workarounds: (1) Implement input validation and sanitization in any code calling setupToolHandlers to strip or escape shell metacharacters; (2) Use allowlists for permitted commands rather than constructing dynamic commands; (3) Run the MCP server with minimal privileges (non-root user, restricted file permissions); (4) Use OS-level sandboxing or containers to limit blast radius of command injection. Monitoring: Monitor for evidence of exploitation by auditing process execution and command-line arguments on systems running quip-mcp-server. References for updates: https://github.com/AvinashBole/quip-mcp-server/issues/4 (issue tracker) and https://vuldb.com/?id.351099 (VulDB entry).
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12255