RCE in R-huijts Mcp-server-rijksmuseum
CVE-2026-7653
A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.004 (61.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.
Affected products
- R-huijts Mcp-server-rijksmuseum — versions 1.0.0, 1.0.1, 1.0.2
Weakness classification (CWE)
References
- VDB-360778 | r-huijts mcp-server-rijksmuseum MCP index.ts open_image_in_browser os command injection (technical-description, vdb-entry)
- VDB-360778 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
- Submit #806909 | r-huijts mcp-server-rijksmuseum 1.0.4 Command Injection (third-party-advisory)
- cna@vuldb.com (issue-tracking, exploit)
Frequently asked questions
- What is CVE-2026-7653?
- CVE-2026-7653 is a medium-severity vulnerability in R-huijts Mcp-server-rijksmuseum, classified under Command Injection. CVSS score: 6.3/10. Published 2026-05-02.
- How severe is CVE-2026-7653?
- Medium severity. CVSS v3 base score is 6.3 out of 10.