CVE-2026-10690
published 2026-06-03CVE-2026-10690: A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the…
PriorityP341medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.21%
11.1th percentile
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 53699bebba9950047bca16ac4dc8f0568f596aaa. It is best practice to apply a patch to resolve this issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wonderwhy-er | desktopcommandermcp | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
wonderwhy-er DesktopCommanderMCP 0.2.37 read_file src/tools/filesystem.ts readFileFromUrl url server-side request forgery (Issue 410 / EUVD-2026-34053)
vuldb·2026-06-07·CVSS 6.3
CVE-2026-10690 [MEDIUM] wonderwhy-er DesktopCommanderMCP 0.2.37 read_file src/tools/filesystem.ts readFileFromUrl url server-side request forgery (Issue 410 / EUVD-2026-34053)
A vulnerability labeled as critical has been found in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery.
This vulnerability is listed as CVE-2026-10690. The attack may be performed from remote. In addition, an exploit is available.
It is best practice to apply a patch to resolve this issue.
GHSA
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37.
ghsa_unreviewed·2026-06-03
CVE-2026-10690 [LOW] CWE-918 A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37.
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 53699bebba9950047bca16ac4dc8f0568f596aaa. It is best practice to apply a patch to resolve this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/sorlen008/DesktopCommanderMCP/commit/53699bebba9950047bca16ac4dc8f0568f596aaahttps://github.com/wonderwhy-er/DesktopCommanderMCP/https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/410https://vuldb.com/cve/CVE-2026-10690https://vuldb.com/submit/830735https://vuldb.com/vuln/367959https://vuldb.com/vuln/367959/ctihttps://vuldb.com/submit/830735
2026-06-03
Published