Terminal-controller-mcp, Command Injection, Critical

Listen to this Post

How the mentioned CVE works:

The vulnerability exists within the `execute_command` function of terminal-controller-mcp version 0.1.7. The function improperly concatenates user-controlled input directly into a shell command without adequate sanitization or neutralization. An attacker can craft a malicious input string containing shell metacharacters (e.g., semicolons, backticks, or ampersands). When this crafted input is processed by the vulnerable function, the embedded shell commands are executed with the same privileges as the application process. This allows for arbitrary command execution on the host system, potentially leading to full compromise, data exfiltration, or further lateral movement within the affected environment. The lack of input validation or context-aware escaping is the root cause.

DailyCVE Form:

Platform: Node.js package
Version: 0.1.7
Vulnerability: Command injection
Severity: Critical
Date: Jan 7, 2026

Prediction: Patch by Jan 30, 2026

What Undercode Say:

Analytics:

npm ls terminal-controller-mcp
grep -r "execute_command" .
curl -s https://registry.npmjs.org/terminal-controller-mcp | jq .time

How Exploit:

curl -X POST http://target/api -d 'cmd=legit; cat /etc/passwd'
Input: "legit; $(rm -rf /)"
Payload: `sleep 10` & whoami

Protection from this CVE:

Update package immediately

Implement input validation

Use execFile/child_process.spawn

Apply principle of least privilege

Impact:

Arbitrary command execution

Full system compromise

Data breach potential

RCE on server

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top