Submit #780752: priyankark a11y-mcp 1.0.4 Server-Side Request Forgeryinfo

Titlepriyankark a11y-mcp 1.0.4 Server-Side Request Forgery
Descriptionpriyankark a11y-mcp contains a server-side request forgery (SSRF) vulnerability in src/index.js. The affected MCP request handlers pass an attacker-controlled URL to Puppeteer navigation logic without enforcing a strict destination allowlist or equivalent network restrictions. An attacker who can invoke the vulnerable handlers can cause the server to initiate requests to arbitrary internal or external resources, including loopback, private-address, link-local, or cloud metadata endpoints, subject to network reachability.
Source⚠️ https://github.com/wing3e/public_exp/issues/17
User
 BigW (UID 96422)
Submission03/16/2026 11:47 (4 months ago)
Moderation04/01/2026 15:12 (16 days later)
StatusAccepted
VulDB entry354655 [priyankark a11y-mcp up to 1.0.5 src/index.js A11yServer server-side request forgery]
Points20

Want to know what is going to be exploited?

We predict KEV entries!