GHSA-vmh7-9c7h-2pgg

Source

https://github.com/advisories/GHSA-vmh7-9c7h-2pgg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vmh7-9c7h-2pgg/GHSA-vmh7-9c7h-2pgg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vmh7-9c7h-2pgg

Aliases

CVE-2026-7150

Published

2026-04-27T21:31:02Z

Modified

2026-05-06T18:51:10.026349Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

auto-favicon has a Server-Side Request Forgery issue

Details

A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generatefaviconfromurl of the file src/autofavicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has yet to receive a response.

Database specific

{
    "github_reviewed_at": "2026-05-06T18:29:24Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "nvd_published_at": "2026-04-27T19:17:00Z",
    "severity": "LOW"
}

References

Affected packages

PyPI / auto-favicon

Package

Name: auto-favicon; View open source insights on deps.dev
Purl: pkg:pypi/auto-favicon

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.1

Affected versions

1.*

1.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vmh7-9c7h-2pgg/GHSA-vmh7-9c7h-2pgg.json"