CVE-2026-0758
Unknown Unknown - Not Provided
Command Injection in mcp-server-siri-shortcuts Enables Privilege Escalation

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: Zero Day Initiative

Description
mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0758
EUVD
EUVD-2026-4476
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor mcp-server-siri-shortcuts *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the mcp-server-siri-shortcuts product and involves improper validation of the user-supplied "shortcutName" parameter. Because this parameter is used in a system call without proper sanitization, a local attacker who can already execute low-privileged code on the system can exploit this flaw to escalate their privileges and execute arbitrary code with the privileges of the service account running the software. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker who has limited access to the system to escalate their privileges, potentially gaining higher-level access and control. This can lead to unauthorized execution of arbitrary code, compromising the confidentiality, integrity, and availability of the affected system. [1]

Mitigation Strategies

To mitigate this vulnerability, ensure that untrusted user input, especially the 'shortcutName' parameter, is properly validated and sanitized before being used in system calls. Restrict the ability to execute low-privileged code on the system to trusted users only. Apply any available patches or updates from the vendor addressing this issue. Additionally, review and limit the privileges of the service account running mcp-server-siri-shortcuts to minimize impact if exploited. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart