CVE-2025-35028 HexStrike AI MCP Server Command Injection

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There...

CVE-2025-35028

HexStrike AI MCP Server is affected by a command-injection vulnerability in the EnhancedCommandExecutor API endpoint. A command-line argument starting with a semicolon (;) can cause a composed command to run with the MCP server’s privileges (typically root) because default configurations do not s...