Platform
sap
Component
sap-netweaver-application-server-abap-and-abap-platform
Fixed in
64.0.1
7.22.1
64.0.1
7.53.1
7.22.1
7.54.1
7.77.1
7.89.1
7.93.1
9.16.1
9.18.1
9.19.1
CVE-2026-0509 is a critical command injection vulnerability affecting the @profullstack/mcp-server package. The vulnerability resides within the domain_lookup module, specifically in the /domain-lookup/check and /domain-lookup/bulk endpoints. An attacker can exploit this flaw to execute arbitrary operating system commands on the server hosting the application, leading to potential data breaches and system compromise.
The impact of CVE-2026-0509 is severe due to the potential for remote code execution (RCE). An attacker can inject arbitrary commands through the vulnerable endpoints, gaining complete control over the server. This could lead to data exfiltration, malware installation, denial of service, or any other action the attacker can perform with system-level privileges. The blast radius includes any data stored on the server, as well as the potential for lateral movement to other systems on the network if the server has access to them. This vulnerability is comparable in severity to other command injection flaws that have resulted in significant data breaches and system compromises.
The vulnerability was published on 2026-05-08. The CVSS score is 9.8 (CRITICAL). The affected commit is 2e8ea913573610667ad54e31dba2e8198ebf7cf9. No public exploits are currently known, but the high CVSS score indicates a high potential for exploitation. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Refer to the project's GitHub repository and the NVD entry for CVE-2026-0509 for further details.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0509 is to upgrade @profullstack/mcp-server to a patched version. As of the publication date, a specific fixed version is not provided, so monitor the project's GitHub repository for updates. As a temporary workaround, input validation and sanitization should be implemented on the /domain-lookup/check and /domain-lookup/bulk endpoints to prevent command injection. Consider implementing a Web Application Firewall (WAF) with rules to detect and block command injection attempts. Regularly scan the application for vulnerabilities using automated tools. After upgrading, verify the fix by attempting to inject a simple command (e.g., whoami) through the vulnerable endpoints – it should be rejected.
Aplicar la actualización de seguridad proporcionada por SAP. Consulte la nota SAP 3674774 para obtener más detalles e instrucciones específicas sobre cómo aplicar el parche a su sistema SAP NetWeaver ABAP.
Vulnerability analysis and critical alerts directly to your inbox.
It's a critical command injection vulnerability in @profullstack/mcp-server allowing attackers to execute arbitrary OS commands.
If you are using @profullstack/mcp-server versions less than or equal to 1.4.12, you are potentially affected.
Upgrade to a patched version of @profullstack/mcp-server. Monitor the project's GitHub repository for updates.
No public exploits are currently known, but the vulnerability is considered highly exploitable.
Refer to the project's GitHub repository and the NVD entry for CVE-2026-0509 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.