CVE-2026-25546

Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...

CVE-2026-25546

Godot MCP vulnerability CVE-2026-25546: In godot-mcp prior to v0.1.1, executeOperation passed user-controlled input (e.g., projectPath) to exec(), spawning a shell and enabling command injection with shell metacharacters. This could allow remote code execution with MCP server privileges across to...

CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath

Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...

PT-2026-6322

Name of the Vulnerable Software and Affected Versions Godot MCP versions prior to 0.1.1 Description Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. A command injection issue in godot-mcp allows remote code execution. The executeOperation function passe...

Godot MCP 操作系统命令注入漏洞

Godot MCP is an MCP server developed by Solomon Elias, designed for interfacing with the Godot game engine. Versions of Godot MCP prior to 0.1.1 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the executeOperation function, which directly...