CVE-2026-5346 | huimeicloud hm_editor up to 2.2.3 image-to-base64 Endpoint src/mcp-server.js client.get url server-side request forgery

A vulnerability labeled as critical has been found in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to server-side request forgery.

This vulnerability is registered as CVE-2026-5346. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-5346 | huimeicloud hm_editor up to 2.2.3 image-to-base64 Endpoint src/mcp-server.js client.get url server-side request forgery

Post correlati

CVE-2023-47842 | Zachary Segal CataBlog Plugin up to 1.7.0 on WordPress unrestricted upload

CVE-2024-27453 | Extreme XOS up to 22.6.1.4 HTTP POST Request python Privilege Escalation

CVE-2025-31947 | Mattermost up to 9.11.11/10.4.4/10.5.2/10.6.1 LDAP Lockout overly restrictive account lockout mechanism

CVE-2025-23419 | F5 NGINX Open Source/NGINX Plus improper authentication (K000149173)