Description
A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d. Affected by this vulnerability is the function axios of the file src/servers/web-scraper/server.js of the component HTTP Request Handler. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Promptly
AI Analysis

Impact

A server‑side request forgery (SSRF) flaw exists in the axios function within the HTTP Request Handler of the mcp-data-vis project. The vulnerability permits a remote attacker to craft requests that are executed by the server, enabling the attacker to reach arbitrary URLs, including internal network endpoints. This type of attack can lead to data exfiltration, internal services discovery, or further chain exploitation, impacting integrity and confidentiality of the system. The bug is present in all releases up to commit de5a51525a69822290eaee569a1ab447b490746d, and no fix has yet been reported.

Affected Systems

The affected product is AlejandroArciniegas mcp-data-vis, a web‑scraping component that uses axios in src/servers/web-scraper/server.js. All versions from the repository’s initial commit up to the point where the latest commit de5a51525a69822290eaee569a1ab447b490746d are vulnerable. Because the project follows a rolling release model, version numbers are not defined, and the vulnerability remains present until an explicit update is provided.

Risk and Exploitability

The CVSS base score is 6.9, indicating a medium severity. An EPSS score is not available, so the current exploitation probability cannot be quantified; the vulnerability is not listed in CISA KEV. An attacker who can interact with the web‑scraper endpoint can trigger the SSRF directly, exploiting the unvalidated outgoing request function. No work‑around has been supplied by the vendor, and the issue remains open, so the risk persists until a fix or mitigated deployment is implemented.

Generated by OpenCVE AI on April 28, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor the project repository for an updated commit that resolves the SSRF vulnerability and apply it as soon as available.
  • Disable or remove the direct axios call in src/servers/web-scraper/server.js, replacing it with a validated request function that enforces a whitelist of allowed destinations.
  • Implement network controls, such as a firewall or proxy, that block the application from reaching private IP ranges or internal services, limiting the potential impact of SSRF.
  • Enable logging and alerting for outbound HTTP requests originating from the server to detect and respond to suspicious activity.

Generated by OpenCVE AI on April 28, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Alejandroarciniegas
Alejandroarciniegas mcp-data-vis
Vendors & Products Alejandroarciniegas
Alejandroarciniegas mcp-data-vis

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d. Affected by this vulnerability is the function axios of the file src/servers/web-scraper/server.js of the component HTTP Request Handler. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Title AlejandroArciniegas mcp-data-vis HTTP Request server.js axios server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Alejandroarciniegas Mcp-data-vis
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T18:37:28.265Z

Reserved: 2026-04-26T19:56:02.952Z

Link: CVE-2026-7146

cve-icon Vulnrichment

Updated: 2026-04-27T18:36:58.670Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T18:16:56.927

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses