Is there a public PoC exploit available for EUVD-2026-33738?

Yes, a public proof-of-concept exploit is available for EUVD-2026-33738. Prioritise patching immediately. EPSS: 0.0%.

mcpilot EUVD-2026-33738

Q: What is the CVSS score of EUVD-2026-33738?

EUVD-2026-33738 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-10280 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-06-01 VulDB

GHSA-6w53-8mcc-fqqh

SSRF Mcpilot

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 01, 2026 - 19:25 vuln.today

Severity Changed

Jun 01, 2026 - 19:22 NVD

HIGH MEDIUM

CVSS changed

Jun 01, 2026 - 19:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

DescriptionCVE.org

A security flaw has been discovered in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery in horizon921 mcpilot 0.1.0 allows unauthenticated remote attackers to force the server to issue arbitrary HTTP requests by supplying a malicious value to the serverBaseUrl parameter in the MCP API Call Endpoint (client/src/app/api/mcp/call/route.ts). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it trivially reachable from the network. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed mcpilot /api/mcp/call endpoint

Delivery

Send unauthenticated HTTP request with malicious serverBaseUrl

Exploit

Server issues forged outbound request to attacker-controlled target

Execution

Retrieve response containing internal service data or credentials

Impact

Leverage harvested credentials for further access