CVE-2026-7653 | r-huijts mcp-server-rijksmuseum up to 1.0.4 MCP Interface src/index.ts open_image_in_browser imageUrl os command injection

May 1, 2026 Yanac

A vulnerability marked as critical has been reported in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection.

This vulnerability is reported as CVE-2026-7653. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The project was informed of the problem early through an issue report but has not responded yet.VulDB Recent EntriesRead More