PYSEC-2026-2386

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/auto-favicon/PYSEC-2026-2386.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2386
Aliases
Published
2026-07-13T15:02:54.059369Z
Modified
2026-07-13T16:31:31.292468468Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
auto-favicon has a Server-Side Request Forgery issue
Details

A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generatefaviconfromurl of the file src/autofavicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has yet to receive a response.

References

Affected packages

PyPI / auto-favicon

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.1

Affected versions

1.*
1.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/auto-favicon/PYSEC-2026-2386.yaml"