CVE-2026-7146 MEDIUM

CVE-2026-7146: AlejandroArciniegas mcp-data-vis HTTP Request server.js axios server-side request forgery

Vendor Alejandroarciniegas
Product mcp-data-vis
Weakness CWE-918 · SSRF
Published April 27, 2026
Last update April 27, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d. Affected by this vulnerability is the function axios of the file src/servers/web-scraper/server.js of the component HTTP Request Handler. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
April 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-10274 indrasishbanerjee aem-mcp-server Axios Request Flow mcp-server.ts getAssetMetadata server-side request forgery CVE-2024-5021 WordPress Picture / Portfolio / Media Gallery <= 3.0.1 - Unauthenticated Server-Side Request Forgery CVE-2022-1977 WP Ultimate CSV Importer < 6.5.3 - Admin+ Blind SSRF CVE-2023-39313 WordPress Avada theme <= 7.11.1 - Authenticated Server Side Request Forgery (SSRF) vulnerability CVE-2025-47936 TYPO3 Vulnerable to Server Side Request Forgery via Webhooks