High severity8.2GHSA Advisory· Published May 12, 2026· Updated May 14, 2026
CVE-2026-42260
CVE-2026-42260
Description
Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF with the response body returned to the caller. This vulnerability is fixed in 2.1.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-websearchnpm | < 2.1.7 | 2.1.7 |
Affected products
2- Range: <= 2.1.6
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.