CNNVD-202602-541 Information
CNNVD ID
CNNVD-202602-541
Related CVE
- CNNVD Published: 2026-02-04
Description (Chinese)
Godot MCP是Solomon Elias个人开发者的一个用于与Godot游戏引擎接口的MCP服务器。 Godot MCP 0.1.1之前版本存在操作系统命令注入漏洞,该漏洞源于executeOperation函数将用户控制的输入直接传递给exec函数,可能导致命令注入和远程代码执行。
Description (English)
Godot MCP is an MCP server used by the Solomon Elias personal developer to interface with the Godot game engine. There is a loophole in the operating system command before the Godot MCP 0.1.1, which stems from the fact that the executeOperation function directly transmits the user-controlled input to the exec function, which may result in the command injection and remote code execution.
Hazard Level
High
Vulnerability Type
操作系统命令注入
Affected Vendor
个人开发者
Published
2026-02-04
Last Modified
2026-02-24
References
https://github.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a https://github.com/Coding-Solo/godot-mcp/issues/64 https://github.com/Coding-Solo/godot-mcp/pull/67 https://github.com/Coding-Solo/godot-mcp/security/advisories/GHSA-8jx2-rhfh-q928
Patch
https://github.com/godotengine/godot/releases
Share on: