mcp_servers

CRITICAL VULNERABILITIES: 1. MySQL Server: Uses hardcoded default database credentials (MYSQL_USER: `crisenri_intranet`, MYSQL_PASSWORD: `].wKbv44W4LW8b`) if environment variables are not set. This exposes sensitive information directly in the source code. 2. MySQL Server: The `execute_query` tool directly takes an arbitrary SQL query string from client input and executes it without any sanitization or validation. This leads to a severe SQL Injection vulnerability. The `multipleStatements: true` setting further exacerbates this risk. 3. PDF Extractor: The `extract_text` and `extract_page` MCP tools take a `filePath` argument directly from client input without validating if it's within an allowed directory. This allows for arbitrary file read vulnerabilities, potentially exposing any file on the server. While the `filesystem` server demonstrates good security practices by rigorously validating paths against an allowed directory list, the presence of critical flaws in other parts of the repository significantly lowers the overall security posture.