CVE-2026-5607

Summary

A security vulnerability has been detected in imprvhub mcp-browser-agent up to 0.8.0. This impacts the function CallToolRequestSchema of the file src/handlers.ts of the component URL Parameter Handler. The manipulation of the argument request.params.name/request.params.arguments leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
imprvhubmcp-browser-agent0.1affected
imprvhubmcp-browser-agent0.2affected
imprvhubmcp-browser-agent0.3affected
imprvhubmcp-browser-agent0.4affected
imprvhubmcp-browser-agent0.5affected
imprvhubmcp-browser-agent0.6affected
imprvhubmcp-browser-agent0.7affected
imprvhubmcp-browser-agent0.8.0affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References