CVE-2026-2131

MEDIUM

XixianLiang HarmonyOS-mcp-server <0.1.0 - Command Injection

Title source: llm

Description

A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

References (4)

Scores

CVSS v3 6.3
EPSS 0.0035
EPSS Percentile 57.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE
CWE-77 CWE-78
Status published

Affected Products (1)

xixianliang/harmonyos_mcp_server

Timeline

Published Feb 08, 2026
Tracked Since Feb 18, 2026