CVE-2026-5346

HIGH

huimeicloud hm_editor image-to-base64 Endpoint mcp-server.js client.get server-side request forgery

Title source: cna

Description

A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/354701

[Signature, Permissions Required] https://vuldb.com/vuln/354701/cti

[Third Party Advisory] https://vuldb.com/submit/781341

[Exploit] https://github.com/wing3e/public_exp/issues/11

Scores

CVSS v3 7.3

EPSS 0.0005

EPSS Percentile 15.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (4)

huimeicloud/hm_editor 2.2.0

huimeicloud/hm_editor 2.2.1

huimeicloud/hm_editor 2.2.2

huimeicloud/hm_editor 2.2.3

Published Apr 02, 2026

Tracked Since Apr 02, 2026