CCommand Injection Vulnerability in MCP File ReaderA deliberately vulnerable MCP server demonstrating command injection flaws. This Python implementation shows how lack of input sanitization in file paths leads to critical security vulnerabilities allowing attackers to execute arbitrary commands. For educational purposes only - demonstrates both the vulnerability and proper security practices.

mcp-so:Vulnerable-file-reader-server_Eliran79

92/100

First Seen

Feb 19, 2026

Last Scanned

Feb 20, 2026

Findings

Score

92/100

MEDIUM 1

Findings (1)

MEDIUM

Shell subprocess with shell=True CMDEXEC_001

Detects subprocess calls with shell=True which enables shell injection

shell=True

FIX

Replace shell=True with shell=False and pass command arguments as a list. Validate and sanitize all inputs before passing to the shell.

FP?

Likely FP if the match is in documentation describing how subprocess works, or in a comment explaining shell risks rather than actual code.