CVE-2026-7653 | r-huijts mcp-server-rijksmuseum up to 1.0.4 MCP Interface src/index.ts open_image_in_browser imageUrl os command injection

A vulnerability marked as critical has been reported in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection.

This vulnerability is reported as CVE-2026-7653. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-7653 | r-huijts mcp-server-rijksmuseum up to 1.0.4 MCP Interface src/index.ts open_image_in_browser imageUrl os command injection

Post correlati

CVE-2024-30263 | xwikisas macro-pdfviewer up to 2.5.0 PDF Viewer Macro file information disclosure (ID 49)

CVE-2025-48705 | COROS up to 3.0808.0 BLE Message null pointer dereference

CVE-2025-5184 | Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 HTTP Response Header information disclosure

CVE-2023-37244 | N-Able AutomationManagerAgent up to 2.80.0.1 AutomationManager.AgentService.exe race condition (MNDT-2023-0016)