CVE-2026-10280

HIGH

horizon921 mcpilot 0.1.0 - Server-Side Request Forgery via serverBaseUrl Argument

Title source: llm

Description

A security flaw has been discovered in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

Core 6

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/vuln/367573

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/vuln/367573/cti

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/cve/CVE-2026-10280

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/submit/825426

Issue Tracking exploit issue-tracking

https://github.com/horizon921/mcpilot/issues/1

Various Sources product

https://github.com/horizon921/mcpilot/

View Writeup ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0029

EPSS Percentile 20.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

horizon921/mcpilot 0.1.0

Published Jun 01, 2026

Tracked Since Jun 02, 2026