CVE-2026-42260HIGH 8.2EPSS p11.8%

CVE-2026-42260CVE-2026-42260

Description

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF with the response body returned to the caller. This vulnerability is fixed in 2.1.7.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.21% probability of exploitation · percentile 11.8% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-14

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/Aas-ee/open-webSearch/security/advisories/GHSA-v228-72c7-fx8j
  2. https://github.com/Aas-ee/open-webSearch/security/advisories/GHSA-v228-72c7-fx8j

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45400
CVE
CVE-2026-45401
CVE
CVE-2026-6011
CVE
CVE-2026-45331
CVE
CVE-2026-28395
CVE
CVE-2026-28467
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.