Description
A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affected by this vulnerability is the function fuzz_domain of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument Request can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in the fuzz_domain function of src/index.ts, where user‑controlled Request arguments are passed directly to the operating system. This flaw maps to CWE‑77 and CWE‑78 and can allow an attacker to execute arbitrary commands on the host. If exploited, it could provide complete control over the machine, enabling installation of malware, data exfiltration or further lateral movement.

Affected Systems

BurtTheCoder mcp-dnstwist up to version 1.0.4 is affected. No other products or vendor versions are currently listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity. EPSS data is not available and the vulnerability is not in CISA's KEV catalog. The attack can be launched remotely, and a public exploit has already been released, meaning the risk of real‑world exploitation is significant.

Generated by OpenCVE AI on April 30, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of mcp-dnstwist (1.0.5 or newer) as soon as a patch is released.
  • Implement strict input validation or sanitization for the Request parameter before it is used in any operating‑system call.
  • Restrict external access to the MCP interface, allowing only trusted users or internal services.
  • Run the application with the minimum privileges required, limiting the potential damage of a successful injection.

Generated by OpenCVE AI on April 30, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Burtthecoder
Burtthecoder mcp-dnstwist
Vendors & Products Burtthecoder
Burtthecoder mcp-dnstwist

Wed, 29 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affected by this vulnerability is the function fuzz_domain of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument Request can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title BurtTheCoder mcp-dnstwist MCP index.ts fuzz_domain os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Burtthecoder Mcp-dnstwist
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T22:45:12.342Z

Reserved: 2026-04-29T16:49:14.514Z

Link: CVE-2026-7443

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-29T23:16:20.740

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-7443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:20:23Z

Weaknesses