CVE-2025-66219

CVE-2025-66219 affects the willitmerge CLI, specifically versions 0.2.1 and earlier. The root cause is the use of an insecure child-process execution API (exec) that concatenates user-provided input (from command-line flags or repository-controlled data) into shell commands, enabling command inje...

CVE-2025-63604

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the executequery method. The vulnerability stems from the exposure of dangerous Python built-in functions import, getattr, hasattr in...

Command Injection in adb-mcp MCP Server

Command Injection in adb-mcp MCP Server The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server is also published publicly to npm at...

CVE-2025-54994 @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP...

CVE-2025-54994

CVE-2025-54994 affects the MCP Server Starter kit @akoskm/create-mcp-server-stdio. The vulnerable component is the which-app-on-port tool that uses Node.js child_process.exec, exposing command-injection risk when user input is unsafely concatenated into shell commands. Affected versions precede 0...

PT-2024-18946

Name of the Vulnerable Software and Affected Versions ggit versions all Description The issue concerns Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched. This input is then concatenated with a git command and passed to the unsafe exec Node....