Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting astro-mcp-server package, versions *


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.2% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-ASTROMCPSERVER-16700045
  • published15 May 2026
  • disclosed1 May 2026
  • creditUnknown

Introduced: 1 May 2026

CVE-2026-7591  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

There is no fixed version for astro-mcp-server.

Overview

astro-mcp-server is a MCP server for Astro ASO (App Store Optimization) data - Access keyword rankings, historical data, and app metrics

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the MCP Tool Query Construction process in src/index.ts when handling the request.params.arguments parameter. An attacker can execute arbitrary SQL commands by supplying crafted input remotely.

References

CVSS Base Scores

version 4.0
version 3.1