← volver
CVE-2026-15750

mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string server-side request forgery

CVSS 5.3 MEDIUMCWE-918
Vexday Risk Score
30Bajo
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
Madurez del exploit
Prueba de concepto
Existe prueba de concepto pública, pero aún no automatizada.
CVSS 5.3EPSS KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
14 jul 2026Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcp__getComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.