Mcpilot
Monthly
Server-side request forgery in horizon921 mcpilot 0.1.0 allows unauthenticated remote attackers to force the server to issue arbitrary HTTP requests by supplying a malicious value to the `serverBaseUrl` parameter in the MCP API Call Endpoint (`client/src/app/api/mcp/call/route.ts`). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it trivially reachable from the network. A public exploit exists (E:P), no vendor patch has been released, and the project maintainer has not yet responded to the responsible disclosure.
Server-side request forgery in horizon921 mcpilot 0.1.0 allows unauthenticated remote attackers to force the server to issue arbitrary HTTP requests by supplying a malicious value to the `serverBaseUrl` parameter in the MCP API Call Endpoint (`client/src/app/api/mcp/call/route.ts`). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it trivially reachable from the network. A public exploit exists (E:P), no vendor patch has been released, and the project maintainer has not yet responded to the responsible disclosure.