High severity7.3NVD Advisory· Published Apr 27, 2026· Updated Apr 29, 2026

CVE-2026-7158

Description

A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mcp-url-downloaderPyPI	<= 0.1.0	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-h7xc-4mv8-59fjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7158ghsaADVISORY
github.com/dmitryglhf/url-download-mcp/issues/2nvdWEB
vuldb.com/submit/802062nvdWEB
vuldb.com/vuln/359757nvdWEB
vuldb.com/vuln/359757/ctinvdWEB

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000