CVE-2026-2131
OS Command Injection in HarmonyOS-mcp-server input_text Function
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xixianliang | harmonyos_mcp_server | 0.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2131 is a critical OS command injection vulnerability found in the XixianLiang HarmonyOS-mcp-server version 0.1.0, specifically affecting the function input_text.
The vulnerability arises from improper handling of the text argument, which allows an attacker to inject and execute arbitrary operating system commands remotely.
This issue is classified under CWE-78, meaning the product constructs OS commands using externally influenced input without properly neutralizing special characters that could alter the intended command execution.
The attack can be performed remotely without physical or local access, and a proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability impacts the confidentiality, integrity, and availability of the affected system.
An attacker can remotely execute arbitrary OS commands, potentially leading to unauthorized data access, data modification, or disruption of service.
Because the exploit is publicly available and easy to use, the risk of exploitation is significant.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an OS command injection in the input_text function of HarmonyOS-mcp-server 0.1.0, which can be exploited remotely by manipulating the text argument.
Detection can involve monitoring for unusual or suspicious commands executed via the input_text function or network traffic targeting this function with crafted payloads.
Since the exploit is publicly available, you can attempt to detect exploitation attempts by searching for known exploit patterns or payloads in your logs.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been identified for this vulnerability.
It is suggested to replace the affected product, HarmonyOS-mcp-server version 0.1.0, with an alternative to avoid exploitation.