Command Executor Mcp Server
Monthly
OS command injection in Sunwood-ai-labs command-executor-mcp-server versions up to 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands via the MCP interface execute_command function. The vulnerability carries a CVSS score of 7.3 with a complete remote attack vector (AV:N/AC:L/PR:N/UI:N), enabling unauthorized data access, system modification, and service disruption. A proof-of-concept exploit has been publicly disclosed via GitHub issue #6, significantly lowering the barrier to exploitation. EPSS data not available, but public POC availability and unauthenticated remote vector indicate elevated real-world risk despite the moderate CVSS score.
OS command injection in Sunwood-ai-labs command-executor-mcp-server versions up to 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands via the MCP interface execute_command function. The vulnerability carries a CVSS score of 7.3 with a complete remote attack vector (AV:N/AC:L/PR:N/UI:N), enabling unauthorized data access, system modification, and service disruption. A proof-of-concept exploit has been publicly disclosed via GitHub issue #6, significantly lowering the barrier to exploitation. EPSS data not available, but public POC availability and unauthenticated remote vector indicate elevated real-world risk despite the moderate CVSS score.