101 matches found
CVE-2026-15522
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component runproject. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. T...
CVE-2026-15522
The CVE-2026-15522 entry concerns the tugcantopaloglu godot-mcp package, version 2.0.0. Affected is the function validatePath in build/index.js (component run_project); manipulating the argument projectPath enables path traversal. Exploitation requires local access, and a public exploit has been ...
CVE-2026-15522 tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component runproject. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. T...
CVE-2026-15522 tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component runproject. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. T...
Command Injection
Godot MCP is vulnerable to Command Injection. The vulnerability is due to passing user-controlled input directly to exec without sanitization, which allows an attacker to inject shell commands and achieve remote code execution...
CVE-2026-25546
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
Exploit for CVE-2026-25546
CVE-2026-25546 PoC - godot-mcp OS Command...
CVE-2026-25546
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
CVE-2026-25546
Godot MCP vulnerability CVE-2026-25546: In godot-mcp prior to v0.1.1, executeOperation passed user-controlled input (e.g., projectPath) to exec(), spawning a shell and enabling command injection with shell metacharacters. This could allow remote code execution with MCP server privileges across to...
CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
CVE-2026-25546
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
EUVD-2026-5327
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath
Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...
Command Injection
Overview godot-mcp is a MCP server for interfacing with Godot game engine. Provides tools for launching the editor, running projects, and capturing debug output. Affected versions of this package are vulnerable to Command Injection via the executeOperation function when user-controlled input is...
GHSA-8JX2-RHFH-Q928 godot-mcp has Command Injection via unsanitized projectPath
Impact A Command Injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which spawns a shell. An attacker could inject shell metacharacters like $command or &calc to execute arbitrary comman...
PT-2026-6322
Name of the Vulnerable Software and Affected Versions Godot MCP versions prior to 0.1.1 Description Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. A command injection issue in godot-mcp allows remote code execution. The executeOperation function passe...
PT-2026-6397
Impact A Command Injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which spawns a shell. An attacker could inject shell metacharacters like $command or &calc to execute arbitrary comman...
Godot MCP 操作系统命令注入漏洞
Godot MCP is an MCP server developed by Solomon Elias, designed for interfacing with the Godot game engine. Versions of Godot MCP prior to 0.1.1 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the executeOperation function, which directly...
EUVD-2019-2130
Malware in sbrugna...