Description
A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blender_mcp/server.py. The manipulation of the argument input_image_url leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 5b37be25242e73dc4cf1328974d30458b9e5d67e. To fix this issue, it is recommended to deploy a patch.
References (8)
Core 8
Core References
Exploit exploit
issue-tracking
https://github.com/ahujasid/blender-mcp/issues/202
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-367956 | ahujasid blender-mcp server.py open injection
https://vuldb.com/vuln/367956
Signature, Permissions Required signature
permissions-required
VDB-367956 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/367956/cti
Third Party Advisory third-party-advisory
CVE-2026-10661 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-10661
Third Party Advisory third-party-advisory
Submit #830486 | ahujasid blender-mcp Latest Arbitrary File Read
https://vuldb.com/submit/830486
Patch issue-tracking
patch
https://github.com/ahujasid/blender-mcp/pull/205
Patch patch
https://github.com/bergskenop/blender-mcp/commit/5b37be25242e73dc4cf1328974d30458b9e5d67e
Broken Link, Product broken-link
product
https://github.com/ahujasid/blender-mcp/
Scores
CVSS v3
4.3
EPSS
0.0025
EPSS Percentile
15.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-707
CWE-74
Status
published
Products (1)
ahujasid/blender-mcp
7636d13bded82eca58eb93c3f4cd8708dfdfbe8b
Published
Jun 02, 2026
Tracked Since
Jun 03, 2026