GHSA-V6WJ-C83F-V46X: GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-serv…

1 / 2

GHSA-V6WJ-C83F-V46X: GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module

DEV Community·CVE Reports·24 days ago

#YkutLyRz

#security #cve #cybersecurity #ghsa #server #profullstack

Reading 0:00

15s threshold

GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module Vulnerability ID: GHSA-V6WJ-C83F-V46X CVSS Score: 9.8 Published: 2026-05-09 A critical unauthenticated OS Command Injection vulnerability (CWE-78) exists in the @profullstack/mcp-server npm package, specifically within the domain_lookup module. The vulnerability allows remote attackers to execute arbitrary commands on the host system via crafted HTTP requests. TL;DR The @profullstack/mcp-server package (versions <= 1.4.12) is vulnerable to unauthenticated OS Command Injection. The domain_lookup module unsafely concatenates user-supplied input into a shell command, enabling remote code execution.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-V6WJ-C83F-V46X: GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module