EUVD-2026-19144CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A security vulnerability has been detected in imprvhub mcp-browser-agent up to 0.8.0. This impacts the function CallToolRequestSchema of the file src/handlers.ts of the component URL Parameter Handler. The manipulation of the argument request.params.name/request.params.arguments leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Server-side request forgery (SSRF) in imprvhub mcp-browser-agent through version 0.8.0 allows authenticated remote attackers to manipulate URL parameters in the CallToolRequestSchema handler, enabling them to forge requests to arbitrary servers. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, creating unmitigated exposure for users of affected versions.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today