{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7158", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T20:12:54.993Z", "datePublished": "2026-04-27T21:00:17.311Z", "dateUpdated": "2026-04-28T15:00:55.140Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T21:00:17.311Z"}, "title": "dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "dmitryglhf", "product": "mcp-url-downloader", "versions": [{"version": "4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T22:17:59.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "SmallW (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359757", "name": "VDB-359757 | dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359757/cti", "name": "VDB-359757 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802062", "name": "Submit #802062 | dmitryglhf mcp-url-downloader 0.1.0 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dmitryglhf/url-download-mcp/issues/2", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:59:11.087083Z", "id": "CVE-2026-7158", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:00:55.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "SmallW (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "dmitryglhf", "product": "mcp-url-downloader", "versions": [{"status": "affected", "version": "4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T22:17:59.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359757", "name": "VDB-359757 | dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359757/cti", "name": "VDB-359757 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802062", "name": "Submit #802062 | dmitryglhf mcp-url-downloader 0.1.0 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dmitryglhf/url-download-mcp/issues/2", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T21:00:17.311Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7158", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:59:11.087083Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-28T15:00:08.459Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-7158", "state": "PUBLISHED", "dateUpdated": "2026-04-27T21:00:17.311Z", "dateReserved": "2026-04-26T20:12:54.993Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T21:00:17.311Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-7158", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T21:16:44.337", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/dmitryglhf/url-download-mcp/issues/2"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/802062"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359757"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359757/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mcp-url-downloader", "source": "cna", "vendor": "dmitryglhf"}, "product": "mcp-url-downloader", "vendor": "dmitryglhf"}], "analysis": {"en": {"generated_at": "2026-04-28T12:49:48.841392+00:00", "value": {"mitigation_remediation": ["Update the mcp-url-downloader package to the most recent commit that fixes the _validate_url_safe function; if a patched release is not yet available, pull the latest source code directly from the repository and apply the code changes that limit URL parsing to safe domains.", "Configure the environment so that outbound HTTP requests from the mcp-url-downloader process are restricted. Use firewall rules or a proxy to block connections to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and only permit outgoing traffic to approved external services.", "Add an additional layer of URL validation in the deployment where you can whitelist a set of trusted domains. Reject or sanitize any URL that resolves to private or local addresses before the application forwards the request."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011side request forgery"}, "threat_synthesis": {"affected_systems": "The affected package is dmitryglhf mcp-url-downloader. Versions up to the commit 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6 are vulnerable. The project follows a rolling\u2011release model, so exact version numbers for patched releases are not publicly documented; users should check the repository for the latest commit when applying a fix.", "description_and_impact": "The vulnerability lies in the _validate_url_safe function of the mcp-url-downloader project, enabling an attacker to supply a crafted URL that causes the server to make arbitrary HTTP requests on the attacker\u2019s behalf. This server\u2011side request forgery can lead to exposure of internal resources, execution of unintended operations, and potential compromise of sensitive systems. The flaw is identified as CWE\u2011918 and is rated moderate with a CVSS score of 6.9. The exploitation requires only remote access to the application and can affect any system that runs the vulnerable code.", "risk_and_exploitability": "The publicly disclosed exploit is available, and the vulnerability can be triggered remotely. The EPSS score is not available, but the CVSS score of 6.9 indicates a medium severity. The vulnerability is not listed in the CISA KEV catalog. Attackers can target the service through normal traffic channels, making the attack vector likely remote and accessible to anyone who can reach the application. Because no official patch is currently published, the risk is higher for deployments that have not migrated to the latest commit."}}}}, "created": "2026-04-28T09:16:53.779496+00:00", "updated": "2026-04-28T13:00:15.231977+00:00", "vendors": ["dmitryglhf", "dmitryglhf$PRODUCT$mcp-url-downloader"]}