CVE-2026-7729
pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.3EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
04 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
pixelsock · directus-mcppublic PoCs found — 1
cve_referencegithub.com/BruceJqs/public_exp/issues/36unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.