Command Injection Vulnerability in Evernote MCP Server
CVE-2025-12489

7.8HIGH

Key Information:

Vendor: Evernote-mcp-server
Status: Evernote-mcp-server
Vendor: CVE Published:; 6 November 2025

🔔 Create Evernote-mcp-server Vulnerability Alert

What is CVE-2025-12489?

The Evernote MCP Server contains a command injection vulnerability within the 'openBrowser' function. This security flaw occurs due to inadequate validation of user-supplied input prior to executing it as a system command. An attacker who gains low-privileged access can exploit this issue to escalate privileges and run arbitrary code under the context of the service account. This could lead to severe consequences, including unauthorized actions and data breaches.

Affected Version(s)

evernote-mcp-server 2.1.0

References

https://www.zerodayinitiative.com/advisories/ZDI-25-983/

x_research-advisory

https://github.com/brentmid/evernote-mcp-server/commit/1e...

vendor-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Oct 29, 2025

JSON