Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
RyuzakiShinji biome-mcp-server allows remote attackers to inject malicious commands
CVE-2026-3680
Summary
A security flaw in RyuzakiShinji biome-mcp-server, up to version 1.0.0, allows attackers to inject malicious commands remotely. This could lead to unauthorized actions on your server. To fix this issue, update to the latest version that includes a patch.
Original title
A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation re...
Original description
A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 335e1727147efeef011f1ff8b05dd751d8a660be. Applying a patch is the recommended action to fix this issue.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
- https://github.com/RyuzakiShinji/biome-mcp-server/
- https://github.com/RyuzakiShinji/biome-mcp-server/pull/1
- https://github.com/RyuzakiShinji/biome-mcp-server/pull/1/changes/335e1727147efee...
- https://github.com/user-attachments/files/25466715/biome-mcp-server_security_adv...
- https://vuldb.com/?ctiid.349582
- https://vuldb.com/?id.349582
- https://vuldb.com/?submit.765399
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026