CVE-2026-10691

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

EUVD-2026-34056

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

CVE-2026-10690

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

Desktop Commander MCP 安全漏洞

Desktop Commander MCP is an MCP server developed by Eduard Ruzga. Versions of Desktop Commander MCP prior to 0.2.38 contained security vulnerabilities. These vulnerabilities stemmed from the operation of the startsearch component in the src/search-manager.ts file with respect to the SearchResult...

Desktop Commander MCP 安全漏洞

Desktop Commander MCP is an MCP server developed by Eduard Ruzga. Version 0.2.37 of Desktop Commander MCP contains a security vulnerability. This vulnerability stems from the handling of the url parameter in the readFileFromUrl function found in the src/tools/filesystem.ts file. This vulnerabilit...

CVE-2026-10691 wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

CVE-2026-10691

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component startsearch. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It is...

CVE-2026-10690 wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

PT-2026-45885

A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start search. Performing a manipulation of the argument SearchResult results in inefficient regular expression complexity. It i...

PT-2026-45884

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

CVE-2025-11491

A vulnerability was found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The impacted element is the function CommandManager of the file src/command-manager.ts. Performing manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made...

CVE-2025-11489

A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...

CVE-2025-11490

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from...

@iflow-mcp/theycallmeholla-schema-org-mcp (=0.1.0), @wonderwhy-er/desktop-commander (>=0.2.29-alpha.3 <=0.2.29-alpha.4) +2 more potentially affected by CVE-2025-11491 via @wonderwhy-er/desktop-commander (>=0.1.39 <=0.2.41)

@wonderwhy-er/desktop-commander NPM version =0.1.39, =0.2.29-alpha.3, =1.0.0, =1.0.1 - familiar-mcp =0.1.0 Source cves: CVE-2025-11491 Source advisory: SNYK:JS-WONDERWHYERDESKTOPCOMMANDER-13535096...

@iflow-mcp/theycallmeholla-schema-org-mcp (=0.1.0), @wonderwhy-er/desktop-commander (>=0.2.29-alpha.3 <=0.2.29-alpha.4) +2 more potentially affected by CVE-2025-11490 via @wonderwhy-er/desktop-commander (>=0.1.39 <=0.2.41)

@wonderwhy-er/desktop-commander NPM version =0.1.39, =0.2.29-alpha.3, =1.0.0, =1.0.1 - familiar-mcp =0.1.0 Source cves: CVE-2025-11490 Source advisory: SNYK:JS-WONDERWHYERDESKTOPCOMMANDER-13535095...

Command Injection

Overview @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to Command Injection via the extractBaseCommand function. An attacker can execute arbitrary operating system commands by supplying crafted input that ...

CVE-2025-11490

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from...

UNIX Symbolic Link (Symlink) Following

Overview @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the isPathAllowed function. An attacker can create a symlink inside an allowed directory that points to a...

@iflow-mcp/theycallmeholla-schema-org-mcp (=0.1.0), @wonderwhy-er/desktop-commander (>=0.2.29-alpha.3 <=0.2.29-alpha.4) +2 more potentially affected by CVE-2025-11489 via @wonderwhy-er/desktop-commander (>=0.1.39 <=0.2.41)

@wonderwhy-er/desktop-commander NPM version =0.1.39, =0.2.29-alpha.3, =1.0.0, =1.0.1 - familiar-mcp =0.1.0 Source cves: CVE-2025-11489 Source advisory: SNYK:JS-WONDERWHYERDESKTOPCOMMANDER-13535094...

EUVD-2025-33288

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from...