@elgentos/magento2-dev-mcp vulnerable to command injection

Description

A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.0.2

References

• GHSA-xqv9-qr76-hfq2
• vuldb.com
• CVE-2026-5603
• CWE-77
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
• protobuf.js is Vulnerable to OS Command Injection in the CLI - CVE-2026-42290
• yii2-mcp-server has a Command Injection Issue - CVE-2026-7600
• @siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes - CVE-2026-31861

You might also like:

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@elgentos/magento2-dev-mcp