AIKIDO-2026-10915

TL;DR

Affected versions of this package allow command injection when MTX_QUERY is explicitly used inside hooks, such as passing it into shell commands like curl http://something/?$MTX_QUERY, because untrusted query string data may be interpreted as additional command input. An attacker could craft a malicious request containing shell metacharacters in the query string so that, when the hook is executed, arbitrary commands run on the underlying system. The issue is mitigated by URL-encoding MTX_QUERY, preventing attacker-controlled input from being interpreted as executable shell content.