Main Vulnerability Database SB2025103149

SB2025103149 - Command Injection in evernote-mcp-server

Published: October 31, 2025

Security Bulletin ID SB2025103149

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Command Injection (CVE-ID: CVE-2025-12489)

The vulnerability allows a local user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation within the openBrowser function. A local user can pass specially crafted data to the application and execute arbitrary commands with elevated privileges.

Remediation

Install update from vendor's website.

References

https://www.zerodayinitiative.com/advisories/ZDI-25-983/
https://github.com/brentmid/evernote-mcp-server/commit/1e66c78c4ce6ea294ac6b0eb289a9eae9c5e9579