<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Sun, 12 Jul 2026 12:46:44 +0000</lastBuildDate>
    <item>
      <title>ed56307d-5d28-431d-a155-9b3ae69fdf65</title>
      <link>https://vulnerability.circl.lu/sighting/ed56307d-5d28-431d-a155-9b3ae69fdf65/export</link>
      <description>{"uuid": "ed56307d-5d28-431d-a155-9b3ae69fdf65", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-v6wj-c83f-v46x", "type": "seen", "source": "https://gist.github.com/alon710/04224a7d95127340316da1f44fdb7a8c", "content": "# GHSA-V6WJ-C83F-V46X: GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module\n\n&amp;gt; **CVSS Score:** 9.8\n&amp;gt; **Published:** 2026-05-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-V6WJ-C83F-V46X\n\n## Summary\nA critical unauthenticated OS Command Injection vulnerability (CWE-78) exists in the `@profullstack/mcp-server` npm package, specifically within the `domain_lookup` module. The vulnerability allows remote attackers to execute arbitrary commands on the host system via crafted HTTP requests.\n\n## TL;DR\nThe `@profullstack/mcp-server` package (versions &amp;lt;= 1.4.12) is vulnerable to unauthenticated OS Command Injection. The `domain_lookup` module unsafely concatenates user-supplied input into a shell command, enabling remote code execution.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **Impact**: Arbitrary Remote Code Execution\n- **Exploit Status**: Proof of Concept Available\n- **Privileges Required**: None\n\n## Affected Systems\n\n- @profullstack/mcp-server npm package\n- **@profullstack/mcp-server**: &amp;lt;= 1.4.12\n\n## Mitigation\n\n- Replace child_process.exec with child_process.spawn to pass arguments safely as arrays.\n- Implement strict regex-based input validation for domain names enforcing RFC 1035 compliance.\n- Enforce global authentication middleware across all modular endpoints.\n- Execute the Node.js server process under a dedicated, unprivileged user account.\n\n**Remediation Steps:**\n1. Identify all deployments running @profullstack/mcp-server versions &amp;lt;= 1.4.12.\n2. Modify service.js to utilize child_process.spawn instead of execAsync.\n3. Implement a regex validation check (e.g., /^[a-zA-Z0-9.-]+$/) on the domains and keywords input arrays.\n4. Restart the Node.js application process.\n5. Review system logs and process trees for unauthorized executions or shell spawns indicating prior compromise.\n\n## References\n\n- [GitHub Advisory](https://github.com/profullstack/mcp-server/security/advisories/GHSA-v6wj-c83f-v46x)\n- [OSV Database](https://osv.dev/vulnerability/GHSA-v6wj-c83f-v46x)\n- [NPM Package](https://www.npmjs.com/package/@profullstack/mcp-server)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-V6WJ-C83F-V46X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-09T04:40:29.000000Z"}</description>
      <content:encoded>{"uuid": "ed56307d-5d28-431d-a155-9b3ae69fdf65", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-v6wj-c83f-v46x", "type": "seen", "source": "https://gist.github.com/alon710/04224a7d95127340316da1f44fdb7a8c", "content": "# GHSA-V6WJ-C83F-V46X: GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module\n\n&amp;gt; **CVSS Score:** 9.8\n&amp;gt; **Published:** 2026-05-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-V6WJ-C83F-V46X\n\n## Summary\nA critical unauthenticated OS Command Injection vulnerability (CWE-78) exists in the `@profullstack/mcp-server` npm package, specifically within the `domain_lookup` module. The vulnerability allows remote attackers to execute arbitrary commands on the host system via crafted HTTP requests.\n\n## TL;DR\nThe `@profullstack/mcp-server` package (versions &amp;lt;= 1.4.12) is vulnerable to unauthenticated OS Command Injection. The `domain_lookup` module unsafely concatenates user-supplied input into a shell command, enabling remote code execution.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **Impact**: Arbitrary Remote Code Execution\n- **Exploit Status**: Proof of Concept Available\n- **Privileges Required**: None\n\n## Affected Systems\n\n- @profullstack/mcp-server npm package\n- **@profullstack/mcp-server**: &amp;lt;= 1.4.12\n\n## Mitigation\n\n- Replace child_process.exec with child_process.spawn to pass arguments safely as arrays.\n- Implement strict regex-based input validation for domain names enforcing RFC 1035 compliance.\n- Enforce global authentication middleware across all modular endpoints.\n- Execute the Node.js server process under a dedicated, unprivileged user account.\n\n**Remediation Steps:**\n1. Identify all deployments running @profullstack/mcp-server versions &amp;lt;= 1.4.12.\n2. Modify service.js to utilize child_process.spawn instead of execAsync.\n3. Implement a regex validation check (e.g., /^[a-zA-Z0-9.-]+$/) on the domains and keywords input arrays.\n4. Restart the Node.js application process.\n5. Review system logs and process trees for unauthorized executions or shell spawns indicating prior compromise.\n\n## References\n\n- [GitHub Advisory](https://github.com/profullstack/mcp-server/security/advisories/GHSA-v6wj-c83f-v46x)\n- [OSV Database](https://osv.dev/vulnerability/GHSA-v6wj-c83f-v46x)\n- [NPM Package](https://www.npmjs.com/package/@profullstack/mcp-server)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-V6WJ-C83F-V46X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-09T04:40:29.000000Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/ed56307d-5d28-431d-a155-9b3ae69fdf65/export</guid>
      <pubDate>Sat, 09 May 2026 04:40:29 +0000</pubDate>
    </item>
  </channel>
</rss>
