CVE-2025-35028P2CRITICALCVSS 9.1v33267047667b9accfbf0fdac1c1c7ff12f3a55122025-11-30
CVE-2025-35028 [CRITICAL] CWE-78 CVE-2025-35028: By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the
By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the defa
nvd