CVE-2026-5346
Received Received - Intake
Server-Side Request Forgery in huimeicloud hm_editor image-to-base

Publication date: 2026-04-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5346
EUVD
EUVD-2026-18348
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huimeicloud hm_editor to 2.2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5346 is a Server-Side Request Forgery (SSRF) vulnerability found in the huimeicloud hm_editor application, specifically in the image-to-base64 endpoint within the src/mcp-server.js file. The vulnerability arises because the application accepts a URL parameter from users and directly uses it in server-side HTTP requests without proper validation or sanitization.

This means an attacker can manipulate the URL argument to make the server send arbitrary HTTP requests to internal or external systems. For example, the attacker could make the server access internal network resources or sensitive metadata services that are not intended to be exposed.

The root cause is the application's trust in user-supplied URLs without implementing allowlists or blocking dangerous destinations such as loopback or private IP addresses.

Compliance Impact

The vulnerability allows server-side request forgery (SSRF), which can lead to unauthorized access to internal HTTP services and sensitive metadata endpoints. This exposure can compromise the confidentiality of sensitive data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Impact Analysis

This vulnerability can impact you by allowing attackers to make the vulnerable server perform unauthorized HTTP requests to internal or external systems. This can lead to several security issues:

  • Confidentiality risks: Attackers may access sensitive internal services, administrative endpoints, or cloud metadata services, potentially exposing confidential information.
  • Integrity risks: Depending on the internal services accessed, attackers might perform state-changing operations, affecting data integrity.
  • Availability risks: Attackers could cause resource exhaustion or denial of service by triggering many or long-running requests.

Overall, the vulnerability allows remote attackers to exploit the server to interact with internal network resources that should not be accessible, potentially leading to data exposure or disruption.

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the /image-to-base64 endpoint that include a JSON body with a url parameter. Suspicious requests where the url points to internal or private network addresses (such as 127.0.0.1 or RFC1918 ranges) may indicate exploitation attempts.

A practical detection method is to use curl or similar tools to test if the server fetches internal resources based on attacker-controlled URLs. For example, the following command demonstrates a proof of concept SSRF request:

  • curl -s http://127.0.0.1:3000/image-to-base64 -H 'Content-Type: application/json' -d '{"url":"http://127.0.0.1:8000/poc.png"}'

Additionally, network monitoring tools can be used to detect outbound HTTP requests from the vulnerable server to internal IP addresses or metadata service endpoints that should not normally be accessed.

Mitigation Strategies

Immediate mitigation steps include implementing strict URL allowlists that validate the scheme, host, port, and path of user-supplied URLs to prevent requests to unauthorized destinations.

  • Reject requests targeting loopback addresses, link-local addresses, RFC1918 private IP ranges, and known metadata service addresses after DNS resolution and redirect handling.
  • Disable arbitrary user-supplied fetch and browser navigation targets unless explicitly required by business logic.
  • Add authentication, authorization, audit logging, and rate limiting around sensitive MCP/HTTP handlers to reduce the attack surface.

Longer term, remove direct flow of user-controlled URLs to outbound request sinks and introduce schema validation at the boundary where parameters enter the application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart