Description
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE_BASE_URL.
Recommendation
No fix is available yet. Followings are affected versions:
- = 2.5.27
References
Related Issues
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- electerm has Command Injection via runLinux funtion - CVE-2026-41501
- WebdriverIO BrowserStack Service has a Command Injection issue - CVE-2026-25244
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
You might also like:
- Tags:
- npm
- automagik-genie
Anything's wrong? Let us know Last updated on May 18, 2026