CVE-2026-7417

Source
https://cve.org/CVERecord?id=CVE-2026-7417
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7417.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7417
Published
2026-04-29T21:45:12.360Z
Modified
2026-07-15T01:49:08.922549103Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Algovate xhs-mcp MCP mcp.server.ts xhs_publish_content server-side request forgery
Details

A vulnerability was found in Algovate xhs-mcp 0.8.11. This affects the function xhspublishcontent of the file src/server/mcp.server.ts of the component MCP Interface. Performing a manipulation of the argument media_paths results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7417.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/algovate/xhs-mcp

Affected ranges

Type
GIT
Repo
https://github.com/algovate/xhs-mcp
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.8.11"
        },
        {
            "last_affected": "0.8.11"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.8.11
v0.*
v0.8.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7417.json"