CVE-2026-7158

Name of the Vulnerable Software and Affected Versions dmitryglhf mcp-url-downloader versions prior to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6

Description An issue in the validate url safe() function within the src/mcp url downloader/server.py file allows for server-side request forgery (SSRF), a flaw where an attacker can induce the server to make requests to an unintended location. This can be executed remotely by manipulating the url argument.

Recommendations Update to a version later than 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. As a temporary workaround, restrict access to the validate url safe() function to minimize the risk of exploitation.