CVE-2026-10274 | indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 Axios Request Flow src/mcp-server.ts getAssetMetadata assetPath server-side request forgery

A vulnerability labeled as critical has been found in indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583. This impacts the function getAssetMetadata of the file src/mcp-server.ts of the component Axios Request Flow. Executing a manipulation of the argument assetPath can lead to server-side request forgery.

This vulnerability is tracked as CVE-2026-10274. The attack can be launched remotely. Moreover, an exploit is present.

This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-10274 | indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 Axios Request Flow src/mcp-server.ts getAssetMetadata assetPath server-side request forgery

Post correlati

CVE-2024-53030 | Qualcomm Snapdragon Auto/Snapdragon Industrial IOT up to SRV1M FE Driver memory corruption

CVE-2025-4050 | Google Chrome up to 135.0.7049.95 DevTools out-of-bounds

CVE-2026-42217 | AcademySoftwareFoundation OpenEXR up to 3.2.8/3.3.10/3.4.10 EXR File readVariableLengthInteger integer overflow (GHSA-3c67-4wwp-w52m / EUVD-2026-28300)

CVE-2024-2634 | Cegid Meta4 HR 819.001.022 generico_login.jsp lang cross site scripting