CVE-2025-15060

Published Mar 16, 2026

Last updated 3 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-15060 identifies a command injection vulnerability within the Framelink Figma MCP Server. This flaw specifically resides in the implementation of the `fetchWithRetry` method. The vulnerability stems from a lack of proper validation of user-supplied strings before they are used to execute a system call. This oversight allows remote attackers to execute arbitrary code on affected installations of the Framelink Figma MCP Server without requiring authentication. An attacker can leverage this to execute code in the context of the service account.

Description: claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785.
Source: zdi-disclosures@trendmicro.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.0

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

zdi-disclosures@trendmicro.com: CWE-78

Hype score: Not currently trending

References