CVE-2026-7653

Name of the Vulnerable Software and Affected Versions r-huijts mcp-server-rijksmuseum versions prior to 1.0.5

Description A flaw in the MCP Interface component allows remote OS command injection. The issue exists within the open image in browser() function located in the src/index.ts file, where manipulation of the imageUrl variable can lead to arbitrary command execution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the open image in browser() function.