pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery_CVE-2026-7729

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

Basic Information

ID CVE-2026-7729

Source VulDB

Published May 4, 2026 at 03:45

Affected Product

Vendor pixelsock

Product directus-mcp

Version 1.0.0

Affected Versions pixelsock directus-mcp 1.0.0

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.",
    "published": "2026-05-04T03:45:14.096Z",
    "modified": "2026-05-04T03:45:14.096Z",
    "type": "cve",
    "title": "pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/360904\nhttps://vuldb.com/vuln/360904/cti\nhttps://vuldb.com/submit/807539\nhttps://github.com/pixelsock/directus-mcp/issues/13\nhttps://github.com/pixelsock/directus-mcp/pull/14\nhttps://github.com/BruceJqs/public_exp/issues/36\nhttps://github.com/pixelsock/directus-mcp/",
    "id": "CVE-2026-7729",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "pixelsock directus-mcp 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "directus-mcp",
    "version": "1.0.0",
    "vendor": "pixelsock",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}