Jippen

**Name of the Vulnerable Software and Affected Versions** HexStrike AI MCP Server versions prior to commit 2f3a5512 **Description** The HexStrike AI MCP Server is susceptible to a command injection issue. By supplying a command-line argument beginning with a semicolon (`;`) to an **API endpoint** created by the `EnhancedCommandExecutor` class, a composed command is directly executed with root privileges. The server does not sanitize these arguments in its default configuration. The `EnhancedCommandExecutor` class is the component responsible for processing commands. The `username` and `password` parameters are not explicitly mentioned as being involved in this issue. **Recommendations** Versions prior to commit 2f3a5512 should be updated to a version containing the fix. As a temporary workaround, consider disabling the `EnhancedCommandExecutor` class or restricting access to the affected **API endpoint** until a patch is available.