Is there a public PoC exploit available for CVE-2026-7729?

Yes, a public proof-of-concept exploit is available for CVE-2026-7729. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-7729?

Yes, a patch is available for CVE-2026-7729. Update the affected software to the latest version immediately.

directus-mcp CVE-2026-7729

Q: What is the CVSS score of CVE-2026-7729?

CVE-2026-7729 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26883 LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-04 VulDB

SSRF

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

May 04, 2026 - 15:18 vuln.today

Public exploit code

Severity Changed

May 04, 2026 - 05:22 NVD

MEDIUM LOW

CVSS changed

May 04, 2026 - 05:22 NVD

6.3 (MEDIUM) 2.1 (LOW)

Source Code Evidence Fetched

May 04, 2026 - 05:00 vuln.today

Analysis Generated

May 04, 2026 - 05:00 vuln.today

EUVD ID Assigned

May 04, 2026 - 04:30 euvd

EUVD-2026-26883

Analysis Generated

May 04, 2026 - 04:30 vuln.today

Patch released

May 04, 2026 - 04:30 nvd

Patch available

CVE Published

May 04, 2026 - 03:45 nvd

LOW 2.1

DescriptionNVD

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

AnalysisAI

Server-side request forgery (SSRF) in pixelsock directus-mcp 1.0.0 allows authenticated remote attackers to manipulate the fileUrl argument in the validateUrl function, enabling requests to internal resources including cloud metadata services and private networks. Publicly available exploit code exists and a patch awaiting acceptance is available on GitHub. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7729 vulnerability details – vuln.today

Back