Wcole3

**Name of the Vulnerable Software and Affected Versions** Godot MCP versions prior to 0.1.1 **Description** Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. A command injection issue in godot-mcp allows remote code execution. The `executeOperation()` function passes user-controlled input, such as `projectPath`, directly to `exec()`, which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects tools that accept `projectPath`, including `create scene`, `add node`, and `load sprite`. **Recommendations** Update to Godot MCP version 0.1.1 or later.