CVE-2026-25546

描述

### Impact A Command Injection vulnerability in godot-mcp allows remote code execution. The `executeOperation` function passed user-controlled input (e.g., `projectPath`) directly to `exec()`, which spawns a shell. An attacker could inject shell metacharacters like `$(command)` or `&calc` to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts `projectPath`, including `create_scene`, `add_node`, `load_sprite`, and others. ### Patches Fixed in version 0.1.1 by switching from `exec()` to `execFile()`, which does not invoke a shell. ### Workarounds None. Users should upgrade immediately. ### Resources - https://github.com/Coding-Solo/godot-mcp/issues/64 - https://github.com/Coding-Solo/godot-mcp/pull/67

如何修補 CVE-2026-25546

要修補 CVE-2026-25546,請將受影響套件升級到下列已修補版本。

• —升級至 0.1.1 或更新版本

CVE-2026-25546 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.1.1

CVSS 分數

參考連結(6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-25546
• PATCHgithub.com/Coding-Solo/godot-mcp
• WEBgithub.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a
• WEBgithub.com/Coding-Solo/godot-mcp/issues/64
• WEB