GHSA-8JX2-RHFH-Q928 godot-mcp has Command Injection via unsanitized projectPath

Impact A Command Injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which spawns a shell. An attacker could inject shell metacharacters like $command or &calc to execute arbitrary comman...