Xcode Mcp Server
Monthly
OS command injection in PolarVista xcode-mcp-server 1.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via crafted MCP requests to the build_project or run_tests functions. The vulnerability stems from insufficient input validation in src/index.ts when processing Request parameters. A publicly available exploit code exists (GitHub), and the vendor has not responded to early vulnerability disclosure attempts, leaving users without an official patch. EPSS data not available, but public exploit combined with network-accessible attack vector (CVSS AV:N/AC:L/PR:N) indicates elevated real-world risk for exposed instances.
Command injection in Xcode MCP Server's LLDB integration allows authenticated network attackers to execute arbitrary commands by manipulating the args parameter in the registerXcodeTools function. Public exploit code exists for this vulnerability, increasing the practical risk to organizations using affected versions. Users should apply the available patch to remediate this medium-severity flaw affecting the AI/ML tooling component.
OS command injection in PolarVista xcode-mcp-server 1.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via crafted MCP requests to the build_project or run_tests functions. The vulnerability stems from insufficient input validation in src/index.ts when processing Request parameters. A publicly available exploit code exists (GitHub), and the vendor has not responded to early vulnerability disclosure attempts, leaving users without an official patch. EPSS data not available, but public exploit combined with network-accessible attack vector (CVSS AV:N/AC:L/PR:N) indicates elevated real-world risk for exposed instances.
Command injection in Xcode MCP Server's LLDB integration allows authenticated network attackers to execute arbitrary commands by manipulating the args parameter in the registerXcodeTools function. Public exploit code exists for this vulnerability, increasing the practical risk to organizations using affected versions. Users should apply the available patch to remediate this medium-severity flaw affecting the AI/ML tooling component.