Unknown · Aap Mcp Server · CVE-2026-6494
**Name of the Vulnerable Software and Affected Versions**
AAP MCP server (affected versions not specified)
**Description**
An unauthenticated remote attacker can exploit a log injection flaw by sending specially crafted input to the `toolsetroute` parameter. This parameter is not properly sanitized before being written to logs, allowing the injection of control characters such as newlines and ANSI escape sequences. This capability enables an attacker to obscure legitimate log entries and insert forged ones, which could facilitate social engineering attacks, potentially leading an operator to execute dangerous commands or visit malicious URLs.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.