CVE-2026-10274
MEDIUMindrasishbanerjee aem-mcp-server Axios Request Flow mcp-server.ts getAssetMetadata server-side request forgery
Title source: cnaDescription
A vulnerability was determined in indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583. This impacts the function getAssetMetadata of the file src/mcp-server.ts of the component Axios Request Flow. Executing a manipulation of the argument assetPath can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-367553 | indrasishbanerjee aem-mcp-server Axios Request Flow mcp-server.ts getAssetMetadata server-side request forgery
https://vuldb.com/vuln/367553
Signature, Permissions Required signature
permissions-required
VDB-367553 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/367553/cti
Third Party Advisory third-party-advisory
CVE-2026-10274 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-10274
Third Party Advisory third-party-advisory
Submit #825401 | indrasishbanerjee aem-mcp-server 1.0.0 Server-Side Request Forgery
https://vuldb.com/submit/825401
Exploit exploit
issue-tracking
https://github.com/indrasishbanerjee/aem-mcp-server/issues/3
Product product
https://github.com/indrasishbanerjee/aem-mcp-server/
Scores
CVSS v3
6.3
EPSS
0.0021
EPSS Percentile
11.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-918
Status
published
Products (1)
indrasishbanerjee/aem-mcp-server
b5f833aef9b5dfd17a5991b3b18a8a11edbdc583
Published
Jun 01, 2026
Tracked Since
Jun 01, 2026