CVE-2026-10690 | wonderwhy-er DesktopCommanderMCP 0.2.37 read_file src/tools/filesystem.ts readFileFromUrl url server-side request forgery (Issue 410)

Inserito da Angelo Barbosa | Giu 2, 2026 | CVE

A vulnerability labeled as critical has been found in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery.

This vulnerability is listed as CVE-2026-10690. The attack may be performed from remote. In addition, an exploit is available.

It is best practice to apply a patch to resolve this issue.

CVE-2026-10690 | wonderwhy-er DesktopCommanderMCP 0.2.37 read_file src/tools/filesystem.ts readFileFromUrl url server-side request forgery (Issue 410)

Post correlati

CVE-2024-50703 | TeamPass up to 3.1.3.0 user_id external control of assumed-immutable web parameter

CVE-2025-8743 | Scada-LTS up to 2.7.8.1 Virtual Data Source Property /data_source_edit.shtm Name cross site scripting

CVE-2025-6226 | Mattermost up to 9.11.16/10.5.6/10.7.3/10.8.1 Private Channel missing authentication

CVE-2024-10538 | Happy Addons for Elementor Plugin up to 3.12.5 on WordPress Image Comparison cross site scripting