@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module
Field | Value – | – Project | profullstack/mcp-server Repository | https://github.com/profullstack/mcp-server Affected Commit | 2e8ea913573610667ad54e31dba2e8198ebf7cf9 Affected Module | mcp_modules/domain_lookup Affected Endpoints | POST /domain-lookup/check, POST /domain-lookup/bulk Vulnerability Type | CWE-78: OS Command Injection CVSS 3.1 Score | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Authentication Required | None Default Network Exposure | Bind address 0.0.0.0, no global authentication middleware Validated | 2026-04-21 (initial), 2026-04-28 (re-confirmed) if (options.prefixes?.length) { command += –prefixes ${options.prefixes.join(',')}; …