Manthan Ghasadiya

**Name of the Vulnerable Software and Affected Versions** radare2-mcp versions 1.6.0 and earlier **Description** An OS command injection flaw allows remote, unauthenticated attackers to execute arbitrary commands on the host system. This is achieved by bypassing the command filter using shell metacharacters in user-controlled input passed to the `r2 cmd str()` function via parameters in the jsonrpc interface. **Recommendations** Update to a version later than 1.6.0.