@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API

Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the to...

CVE-2025-54994 @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP...

CVE-2025-54994 @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP...

CVE-2025-54994

CVE-2025-54994 affects the MCP Server Starter kit @akoskm/create-mcp-server-stdio. The vulnerable component is the which-app-on-port tool that uses Node.js child_process.exec, exposing command-injection risk when user input is unsafely concatenated into shell commands. Affected versions precede 0...

PT-2025-36603

Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the to...

PT-2025-36503

Name of the Vulnerable Software and Affected Versions: @akoskm/create-mcp-server-stdio versions prior to 0.0.13 Description: The @akoskm/create-mcp-server-stdio package, a MCP server starter kit utilizing the StdioServerTransport, contains a command injection issue in versions prior to 0.0.13. Th...

Malicious code in rigel-exec-ichnology-playwright (npm)

The package rigel-exec-ichnology-playwright was found to contain malicious code...

Malicious code in local-release-it-exec-graphql (npm)

The package local-release-it-exec-graphql was found to contain malicious code...

MAL-2025-44193 Malicious code in exec-exoplanetology-hercules-titan (npm)

The package exec-exoplanetology-hercules-titan was found to contain malicious code...

MAL-2025-44464 Malicious code in gravity-exec-geochemistry-jwt (npm)

The package gravity-exec-geochemistry-jwt was found to contain malicious code...

MAL-2025-45615 Malicious code in publish-exec-quasar-puppeteer (npm)

The package publish-exec-quasar-puppeteer was found to contain malicious code...

MAL-2025-45847 Malicious code in rigel-exec-ichnology-playwright (npm)

The package rigel-exec-ichnology-playwright was found to contain malicious code...

Malicious code in gravity-exec-geochemistry-jwt (npm)

The package gravity-exec-geochemistry-jwt was found to contain malicious code...

MAL-2025-45057 Malicious code in local-release-it-exec-graphql (npm)

The package local-release-it-exec-graphql was found to contain malicious code...

RCE-Foryou

RCE-Foryou Python tool for safely testing and exploiting RCE v...

Unsanitized NUL in environment variables on Windows in syscall and os/exec

...

Linux Distros Unpatched Vulnerability : CVE-2020-24361

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknowntrapexec. CVE-2020-24361 Note that Nessus relies on the presence of the...

Linux Distros Unpatched Vulnerability : CVE-2022-31212

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in dbus-broker before 31. It depends on c-uitl/c-shquote to parse the DBus service's Exec line. c-shquote contains a stack-based buffer...

Linux Distros Unpatched Vulnerability : CVE-2022-1106

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - use after free in mrbvmexec in GitHub repository mruby/mruby prior to 3.2. CVE-2022-1106 Note that Nessus relies on the presence of the package as reported by t...

Picklescan missing detection when calling pytorch function torch.jit.unsupported_tensor_ops.execWrapper

Summary Using torch.jit.unsupportedtensorops.execWrapper function, which is a pytorch library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to torch.jit.unsupportedtensorops.execWrapper function...