CVE-2026-10280 | horizon921 mcpilot 0.1.0 MCP API Call Endpoint route.ts serverBaseUrl server-side request forgery

May 31, 2026 Yanac

A vulnerability, which was classified as critical, was found in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery.

This vulnerability is reported as CVE-2026-10280. The attack can be launched remotely. Moreover, an exploit is present.

The project was informed of the problem early through an issue report but has not responded yet.VulDB Recent EntriesRead More