CVE-2026-5323 | priyankark a11y-mcp up to 1.0.5 src/index.js A11yServer server-side request forgery

A vulnerability was found in priyankark a11y-mcp up to 1.0.5. It has been declared as critical. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery.

This vulnerability is cataloged as CVE-2026-5323. The attack must be initiated from a local position. Furthermore, there is an exploit available.

This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is recommended to upgrade the affected component.

The vendor acknowledged the issue but provides additional context for the CVSS rating: “a11y-mcp is a local stdio MCP server – it has no HTTP endpoint and is not network-accessible. The caller is always the local user or an LLM acting on their behalf with user approval.”VulDB Recent EntriesRead More