CVE-2026-10280 | horizon921 mcpilot 0.1.0 MCP API Call Endpoint route.ts serverBaseUrl server-side request forgery

A vulnerability, which was classified as critical, was found in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery.

This vulnerability is reported as CVE-2026-10280. The attack can be launched remotely. Moreover, an exploit is present.

The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-10280 | horizon921 mcpilot 0.1.0 MCP API Call Endpoint route.ts serverBaseUrl server-side request forgery

Post correlati

CVE-2023-52100 | Huawei HarmonyOS 4.0.0 Celia Keyboard Module access control

CVE-2023-40297 | Stakater Forecastle up to 1.0.139 Website path traversal

CVE-2025-10115 | SiempreCMS up to 1.3.6 user_search_ajax.php name/userName sql injection

CVE-2025-55591 | TOTOLINK A3002R 4.0.0-B20230531.1404 formMapDel devicemac command injection