ICUICU
critical

ch.pfx/mcp-server

v1.0.0

MCP Server für Forterro Proffix Px5 ERP

MCP RegistrypfxFirst seen Feb 24, 2026Source

23

Total

10

Critical

1

High

12

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8: # Environment files
    9: .env
>>> 10: .env.local
    11: 
    12: # IDE
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    35: 
    36: // Configuration
>>> 37: const SERVER_URL = process.argv[2] || process.env.MCP_SERVER_URL || 'https://mcp.pfx.ch/api/server';
    38: 
    39: // Proffix credentials from environment
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    38: 
    39: // Proffix credentials from environment
>>> 40: const PROFFIX_USERNAME = process.env.PROFFIX_USERNAME || '';
    41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
    42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    39: // Proffix credentials from environment
    40: const PROFFIX_USERNAME = process.env.PROFFIX_USERNAME || '';
>>> 41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
    42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
    43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    40: const PROFFIX_USERNAME = process.env.PROFFIX_USERNAME || '';
    41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
>>> 42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
    43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
    44: const PROFFIX_DATABASE = process.env.PROFFIX_DATABASE || '';
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
    42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
>>> 43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
    44: const PROFFIX_DATABASE = process.env.PROFFIX_DATABASE || '';
    45:
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
    43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
>>> 44: const PROFFIX_DATABASE = process.env.PROFFIX_DATABASE || '';
    45: 
    46: // API Key from environment (Authorization header)
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    45: 
    46: // API Key from environment (Authorization header)
>>> 47: const HTTP_AUTHORIZATION = process.env.HTTP_AUTHORIZATION || '';
    48: 
    49: // Response format from environment (optional)
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    48: 
    49: // Response format from environment (optional)
>>> 50: const RESPONSE_FORMAT = process.env.RESPONSE_FORMAT || '';
    51: 
    52: // Setup file logging
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7: 
    8: # Environment files
>>> 9: .env
    10: .env.local
    11:
Report false positive
highSC-005Suspicious CommandsMedium ConfidenceLine 0

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    8: const fs = require('fs');
    9: const path = require('path');
>>> 10: const { execSync } = require('child_process');
    11: 
    12: const ROOT_DIR = path.join(__dirname, '..');
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumOB-001ObfuscationMedium ConfidenceLine 0

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    154:         if: steps.check_tag.outputs.exists == 'false'
    155:         run: |
>>> 156:           curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
    157:           
    158:       - name: Login to MCP Registry
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 26, 2026critical23
Feb 24, 2026critical23