CVE-2026-10690

Source
https://cve.org/CVERecord?id=CVE-2026-10690
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10690.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10690
Aliases
Published
2026-06-02T23:15:08.998Z
Modified
2026-07-10T17:41:40.672251961Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery
Details

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 53699bebba9950047bca16ac4dc8f0568f596aaa. It is best practice to apply a patch to resolve this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10690.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/sorlen008/desktopcommandermcp

Affected ranges

Type
GIT
Repo
https://github.com/sorlen008/desktopcommandermcp
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.2.37"
        },
        {
            "last_affected": "0.2.37"
        }
    ]
}

Affected versions

0.*
0.2.37

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10690.json"