EUVD-2026-34056

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

CVE-2026-10690

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

CVE-2026-10691 wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

CVE-2026-10691

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

CVE-2026-10690 wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

PT-2026-45884

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

PT-2026-45885

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start search. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It i...

CVE-2025-11491

A vulnerability was found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The impacted element is the function CommandManager of the file src/command-manager.ts. Performing manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made...

CVE-2025-11489

A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...

CVE-2025-11490

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from...

@iflow-mcp/theycallmeholla-schema-org-mcp (=0.1.0), @wonderwhy-er/desktop-commander (>=0.2.29-alpha.3 <=0.2.29-alpha.4) +2 more potentially affected by CVE-2025-11491 via @wonderwhy-er/desktop-commander (>=0.1.39 <=0.2.40)

@wonderwhy-er/desktop-commander NPM version =0.1.39, =0.2.29-alpha.3, =1.0.0, =1.0.1 - familiar-mcp =0.1.0 Source cves: CVE-2025-11491 Source advisory: SNYK:JS-WONDERWHYERDESKTOPCOMMANDER-13535096...

@iflow-mcp/theycallmeholla-schema-org-mcp (=0.1.0), @wonderwhy-er/desktop-commander (>=0.2.29-alpha.3 <=0.2.29-alpha.4) +2 more potentially affected by CVE-2025-11490 via @wonderwhy-er/desktop-commander (>=0.1.39 <=0.2.40)

@wonderwhy-er/desktop-commander NPM version =0.1.39, =0.2.29-alpha.3, =1.0.0, =1.0.1 - familiar-mcp =0.1.0 Source cves: CVE-2025-11490 Source advisory: SNYK:JS-WONDERWHYERDESKTOPCOMMANDER-13535095...

Command Injection

Overview @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to Command Injection via the extractBaseCommand function. An attacker can execute arbitrary operating system commands by supplying crafted input that ...

CVE-2025-11490

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from...

@iflow-mcp/theycallmeholla-schema-org-mcp (=0.1.0), @wonderwhy-er/desktop-commander (>=0.2.29-alpha.3 <=0.2.29-alpha.4) +2 more potentially affected by CVE-2025-11489 via @wonderwhy-er/desktop-commander (>=0.1.39 <=0.2.40)

@wonderwhy-er/desktop-commander NPM version =0.1.39, =0.2.29-alpha.3, =1.0.0, =1.0.1 - familiar-mcp =0.1.0 Source cves: CVE-2025-11489 Source advisory: SNYK:JS-WONDERWHYERDESKTOPCOMMANDER-13535094...

UNIX Symbolic Link (Symlink) Following

Overview @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the isPathAllowed function. An attacker can create a symlink inside an allowed directory that points to a...

EUVD-2025-33288

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from...

CVE-2025-11489

CVE-2025-11489 affects wonderwhy-er DesktopCommanderMCP up to 0.2.13. The issue resides in isPathAllowed (src/tools/filesystem.ts) and enables symbolic link following, with local access required and high attack complexity. Publicly disclosed exploitability is noted; vendor guidance recommends usi...

CVE-2025-11489 wonderwhy-er DesktopCommanderMCP filesystem.ts isPathAllowed symlink

A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...

Desktop Commander MCP 安全漏洞

Desktop Commander MCP is an MCP server by the individual developer Eduard Ruzga. A security vulnerability exists in Desktop Commander MCP version 0.2.13 and earlier, which stems from os command injection in the extractBaseCommand function of the src/command-manager.ts file in the Absolute Path...