Skills
CVE-2026-7593: OS Command Injection in Sunwood-ai-labs command-executor-mcp-server — CVSS 7.3 High, Remote Exploitation Possible
A high-severity OS command injection vulnerability in command-executor-mcp-server (up to v0.1.0) allows remote attackers to execute arbitrary commands via the MCP Interface component in src/index.ts. Combined with CVE-2026-7591 (SQL injection in astro-mcp-server, CVSS 6.3) and CVE-2026-20205 (Splunk MCP token exposure), this represents a pattern: community MCP servers shipping with classic vulnerabilities. Builders should audit any MCP server's src/index.ts for unsanitized input handling.
Source
↳ Follow the thread