CVE-2026-3484
Remote Command Injection in PhialsBasement nmap-mcp-server CLI Handler
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phialsbasement | mcp_nmap_server | to 1.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3484 is a command injection vulnerability in the PhialsBasement nmap-mcp-server, specifically in the Nmap CLI Command Handler component. The flaw exists in the child_process.exec function within the src/index.ts file, where user-supplied input is used to construct shell commands without proper sanitization. This allows remote attackers to inject arbitrary shell commands that get executed on the server.
The vulnerability arises because special characters in user input are not neutralized, leading to CWE-77 (Improper Neutralization of Special Elements used in a Command). Attackers can exploit this remotely to execute arbitrary commands, impacting the confidentiality, integrity, and availability of the affected system.
The issue was fixed by replacing the unsafe exec call with execFile, which executes commands without invoking a shell, and by validating and allowlisting safe command flags to prevent injection.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the system running the nmap-mcp-server with the privileges of the MCP server process.
Successful exploitation can compromise the confidentiality, integrity, and availability of the affected system by allowing unauthorized command execution.
- Remote code execution on the host system.
- Potential unauthorized access to sensitive data.
- Disruption or manipulation of system operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves command injection in the nmap-mcp-server's Nmap CLI Command Handler, specifically in the child_process.exec function. Detection can focus on monitoring for unusual or unauthorized command executions originating from the MCP server process."}, {'type': 'paragraph', 'content': 'Since the vulnerability allows remote attackers to execute arbitrary commands, network or system detection can include monitoring for unexpected or suspicious Nmap command invocations or shell commands executed by the MCP server.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include using standard system tools to check running processes and command histories related to the nmap-mcp-server, for example:'}, {'type': 'list_item', 'content': 'On Linux or Windows Subsystem for Linux: `ps aux | grep nmap-mcp-server` to identify running instances.'}, {'type': 'list_item', 'content': 'Check command execution logs or shell histories for suspicious commands involving nmap or unusual flags.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unexpected outbound connections or command executions triggered by the MCP server.'}, {'type': 'paragraph', 'content': 'Additionally, since the server runs on Windows with Node.js, inspecting Node.js process logs or enabling auditing on the server to capture command execution attempts can help detect exploitation attempts.'}] [1, 2, 6]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to apply the patch identified by commit 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488, which fixes the vulnerability by replacing the unsafe use of child_process.exec with execFile and implementing strict validation of user-supplied input.'}, {'type': 'paragraph', 'content': 'This patch eliminates shell command injection by:'}, {'type': 'list_item', 'content': 'Replacing exec with execFile to avoid shell interpretation.'}, {'type': 'list_item', 'content': 'Passing command arguments as an array rather than a concatenated string.'}, {'type': 'list_item', 'content': 'Validating and allowlisting safe Nmap flags for the additionalFlags parameter.'}, {'type': 'paragraph', 'content': 'If immediate patching is not possible, consider restricting network access to the MCP server to trusted users only, disabling or limiting the use of the additionalFlags parameter, and monitoring for suspicious command executions.'}, {'type': 'paragraph', 'content': "Also, review and harden the server's environment and permissions to minimize the impact of potential exploitation."}] [1, 3, 6]