CVE-2026-7600— Yii2 MCP Server 命令注入漏洞

ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection

A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Yii2 MCP Server 命令注入漏洞

Yii2 MCP Server是Arthur Minasyan个人开发者的一个Yii2框架的数据库与项目管理工具。 Yii2 MCP Server 1.0.2版本存在命令注入漏洞，该漏洞源于MCP Interface组件中src/index.ts文件的yii_command_help/yii_execute_command函数操作不当，可能导致OS命令注入。

N/A

N/A