Chatbox
Monthly
OS command injection in chatboxai chatbox up to version 1.20.0 allows remote attackers to execute arbitrary system commands by manipulating the args/env parameters in the StdioClientTransport component of the Model Context Protocol Server Management System. The vulnerability has a publicly available proof-of-concept exploit and affects the IPC stdio transport mechanism that handles subprocess spawning without proper input sanitization. While the vendor was notified early, no patch has been released as of the analysis date.
OS command injection in chatboxai chatbox up to version 1.20.0 allows remote attackers to execute arbitrary system commands by manipulating the args/env parameters in the StdioClientTransport component of the Model Context Protocol Server Management System. The vulnerability has a publicly available proof-of-concept exploit and affects the IPC stdio transport mechanism that handles subprocess spawning without proper input sanitization. While the vendor was notified early, no patch has been released as of the analysis date.