{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5346", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T16:04:54.992Z", "datePublished": "2026-04-02T15:00:16.365Z", "dateUpdated": "2026-04-02T16:22:00.246Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T15:00:16.365Z"}, "title": "huimeicloud hm_editor image-to-base64 Endpoint mcp-server.js client.get server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "huimeicloud", "product": "hm_editor", "versions": [{"version": "2.2.0", "status": "affected"}, {"version": "2.2.1", "status": "affected"}, {"version": "2.2.2", "status": "affected"}, {"version": "2.2.3", "status": "affected"}], "modules": ["image-to-base64 Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T18:09:59.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BigW (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354701", "name": "VDB-354701 | huimeicloud hm_editor image-to-base64 Endpoint mcp-server.js client.get server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354701/cti", "name": "VDB-354701 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781341", "name": "Submit #781341 | huimeicloud hmEditor 2.2.3 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wing3e/public_exp/issues/11", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:09:08.891883Z", "id": "CVE-2026-5346", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:22:00.246Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5346", "lastModified": "2026-04-02T15:16:53.833", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:53.833", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/wing3e/public_exp/issues/11"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781341"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354701"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354701/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "hm_editor", "source": "cna", "vendor": "huimeicloud"}, "product": "hm_editor", "vendor": "huimeicloud"}], "analysis": {"en": {"generated_at": "2026-04-02T16:35:16.338368+00:00", "value": {"mitigation_remediation": ["Apply the latest version of huimeicloud hm_editor that fixes the SSRF issue.", "If an update is not immediately possible, block outbound traffic from the server to internal networks or restrict the image\u2011to\u2011base64 endpoint to trusted sources.", "Consider disabling the vulnerable image\u2011to\u2011base64 endpoint entirely if it is not required for business operations."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the huimeicloud hm_editor component, specifically all releases up to and including version 2.2.3. Operations consuming the image\u2011to\u2011base64 endpoint in any affected deployment are potentially exploitable until a patch or configuration change is applied.", "description_and_impact": "A flaw in the client.get function of src/mcp-server.js in huimeicloud hm_editor up to version 2.2.3 allows an attacker to manipulate the url parameter sent to the image\u2011to\u2011base64 endpoint, causing the server to perform arbitrary HTTP requests. This server\u2011side request forgery can be triggered remotely and may expose internal resources or allow data exfiltration. The CWE is 918, highlighting the vulnerability in how the server processes untrusted URL input.", "risk_and_exploitability": "With a CVSS score of 6.9 the flaw is classified as moderate severity; the exploit is publicly disclosed and may be used by attackers. Exploitation requires only a crafted request to the vulnerable endpoint, making it straightforward for a remote attacker. Due to the absence of an EPSS score and its non\u2011listing in the KEV catalog, precise exploit likelihood is uncertain, but remote SSRF remains a significant risk to confidentiality and integrity of internal services."}}}}, "created": "2026-04-02T20:11:33.306162+00:00", "updated": "2026-04-02T20:20:14.733259+00:00", "vendors": ["huimeicloud", "huimeicloud$PRODUCT$hm_editor"]}