CVE-2026-7417

Name of the Vulnerable Software and Affected Versions Algovate xhs-mcp version 0.8.11

Description An issue exists in the MCP Interface component within the xhs publish content() function of the src/server/mcp.server.ts file. A remote attacker can perform server-side request forgery (SSRF)—a flaw that allows a server to be coerced into making unintended requests—by manipulating the media paths argument.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the use of the xhs publish content() function or carefully validate the media paths argument to minimize the risk of exploitation.