CVE-2026-2131 PUBLISHED

A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

• Lexpl0it (VulDB User) reporter

• VDB-344766 | XixianLiang HarmonyOS-mcp-server input_text os command injection
• VDB-344766 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #747209 | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection
• https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md

• OS Command Injection CWE
• Command Injection CWE