Server-Side Request Forgery in aerostackdev aerostack-mcp Media Upload Functionality
CVE-2026-15189

5.3MEDIUM

Key Information:

Vendor
CVE Published:
9 July 2026

What is CVE-2026-15189?

A security vulnerability has been identified in the aerostackdev aerostack-mcp application, specifically within the upload_media function of the mcp-whatsapp component. This vulnerability allows an attacker to manipulate the media_url argument, potentially enabling server-side request forgery (SSRF) attacks. This flaw can be exploited remotely, raising concerns for users operating on the system's rolling release model, as no specific version details are provided. Despite early notification to the project team concerning this issue, no response has been observed. It is essential for users to be aware of this vulnerability and take necessary precautions to safeguard their infrastructures.

Affected Version(s)

aerostack-mcp 6315dfde7df0a15aaf743f88d91347115e09ba23

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

skywings (VulDB User)
VulDB CNA Team
.