Akutishevsky

**Name of the Vulnerable Software and Affected Versions** sf-mcp-server (affected versions not specified) **Description** A command injection issue exists in sf-mcp-server, an implementation of Salesforce MCP server for Claude for Desktop. The issue is due to the unsafe use of the `child process.exec` function when building Salesforce CLI commands with input controlled by the user. Successful exploitation could allow attackers to execute arbitrary shell commands with the privileges of the MCP server process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.