CVE-2026-2131 - Vulnerability Details

- XixianLiang HarmonyOS-mcp-server input_text os command injection

Description

A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Published: 2026-02-08

Score: 5.3 Medium

EPSS: 15.1% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an OS command injection flaw in the input_text function of XixianLiang HarmonyOS‑mcp‑server. By manipulating the "text" argument, an attacker can cause the server to execute arbitrary operating‑system commands. The weakness is represented by CWE‑77 and CWE‑78 and can lead to full system compromise if exploited, providing the attacker’s privileges on the server.

Affected Systems

XixianLiang HarmonyOS‑mcp‑server version 0.1.0

Risk and Exploitability

This vulnerability carries a CVSS score of 5.3, indicating moderate risk, and an EPSS score of 15%, suggesting a moderate probability of being seen in the wild. Because the flaw permits remote execution of arbitrary commands via the input_text endpoint, an attacker who can reach the server over the network could inject commands and gain the privileges of the running service. The existence of publicly available exploits and the lack of any current mitigation in the CISA KEV catalog underscore the potential for exploitation, though the 15% EPSS score indicates a moderate probability of exploitation. The vulnerability could be leveraged to compromise the host or pivot to other services if the server runs with elevated privileges. Existing security controls such as limiting network exposure and enforcing least‑privilege execution can reduce the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

XixianLiang

HarmonyOS-mcp-server

affected

Version	Status	Constraints
`0.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:xixianliang:harmonyos_mcp_server:0.1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Xixianliang	Harmonyos-mcp-server	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for an official vendor patch or fix for HarmonyOS‑mcp‑server 0.1.0
Sanitize and validate the "text" input to prevent command injection, rejecting or escaping shell meta characters
Run the server with the least privileges necessary and disable shell execution where possible
Restrict network access to the service using firewalls or segmentation to limit exposure to the attack surface

Generated by OpenCVE AI on June 18, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.15052.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md
https://vuldb.com/?ctiid.344766
https://vuldb.com/?id.344766
https://vuldb.com/?submit.747209

History

Thu, 05 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xixianliang harmonyos Mcp Server
CPEs		cpe:2.3:a:xixianliang:harmonyos_mcp_server:0.1.0:::::::*
Vendors & Products		Xixianliang harmonyos Mcp Server

Tue, 10 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xixianliang Xixianliang harmonyos-mcp-server
Vendors & Products		Xixianliang Xixianliang harmonyos-mcp-server

Sun, 08 Feb 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Title		XixianLiang HarmonyOS-mcp-server input_text os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md https://vuldb.com/?ctiid.344766 https://vuldb.com/?id.344766 https://vuldb.com/?submit.747209
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Xixianliang Harmonyos-mcp-server Harmonyos Mcp Server

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T02:32:07.119Z

Updated: 2026-02-23T09:37:10.319Z

Reserved: 2026-02-06T20:52:48.170Z

Link: CVE-2026-2131

Vulnrichment

Updated: 2026-02-10T19:45:36.796Z

NVD

Status : Analyzed

Published: 2026-02-08T03:15:49.047

Modified: 2026-06-17T10:30:22.457

Link: CVE-2026-2131

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T05:15:16Z

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object