A security flaw has been discovered in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-7215 is a command injection vulnerability in egtai gmx-vmd-mcp up to version 0.1.0 affecting the VMD Launch Handler component. Remote attackers can exploit this flaw by manipulating structure_file or trajectory_file arguments to execute arbitrary commands.
يؤثر هذا الثغر الأمني على مكون معالج إطلاق VMD في egtai gmx-vmd-mcp حيث يمكن للمهاجمين البعيدين حقن أوامر عبر معاملات الملفات. تم الإفراج عن الاستغلال علناً مما يزيد من خطر الهجمات الفعلية.
A command injection vulnerability exists in egtai gmx-vmd-mcp versions up to 0.1.0 in the VMD Launch Handler. Attackers can remotely inject commands through manipulated file arguments to achieve unauthorized code execution.
Immediately upgrade egtai gmx-vmd-mcp to a patched version beyond 0.1.0. Implement input validation and sanitization for structure_file and trajectory_file parameters. Use allowlists for file paths and disable shell interpretation. Apply principle of least privilege to service accounts running the component.
قم بالترقية الفورية إلى نسخة مصححة من egtai gmx-vmd-mcp تتجاوز 0.1.0. طبق التحقق من صحة المدخلات وتنظيفها لمعاملات structure_file و trajectory_file. استخدم قوائم بيضاء لمسارات الملفات وعطل تفسير shell. طبق مبدأ أقل امتياز على حسابات الخدمة.