This vulnerability is a command injection flaw that occurs when the server processes the create_issue parameter without validating the supplied string. An attacker can send a specially crafted request to an affected instance, causing the service to execute arbitrary shell commands in the context of the service account. The flaw is pure injection; no privilege escalation is required beyond the service account’s permissions, but the impact is complete loss of confidentiality, integrity, and availability for that server, as attackers can run any code they wish.

The affected product is github-kanban-mcp-server. No specific version range is listed in the CVE record; therefore any installation of github-kanban-mcp-server that has not applied a vendor‑released fix is considered at risk.

The CVSS score of 9.8 indicates maximum severity, while the EPSS score of less than 1% suggests that exploitation attempts are expected to be rare at present. The vulnerability is not listed in CISA's KEV catalog, so there is no evidence of widespread or active exploitation. An attacker does not need prior authentication; the flaw can be leveraged from the internet or an internal network if the create_issue endpoint is exposed. The attack path is simple: send a crafted create_issue request that injects shell commands, and the server executes them with the privileges of the service account.