CVE-2026-10661

MEDIUM 4.3

ahujasid blender-mcp server.py open injection

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

10th

A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blender_mcp/server.py. The manipulation of the argument input_image_url leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 5b37be25242e73dc4cf1328974d30458b9e5d67e. To fix this issue, it is recommended to deploy a patch.

CWE	CWE-74 CWE-707
Vendor	ahujasid
Product	blender-mcp
Published	Jun 2, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for ahujasid blender-mcp

Be the first to know when new medium vulnerabilities affecting ahujasid blender-mcp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

ahujasid / blender-mcp

7636d13bded82eca58eb93c3f4cd8708dfdfbe8b

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/367956 vuldb.com: https://vuldb.com/vuln/367956/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10661 vuldb.com: https://vuldb.com/submit/830486 github.com: https://github.com/ahujasid/blender-mcp/issues/202 github.com: https://github.com/ahujasid/blender-mcp/pull/205 github.com: https://github.com/bergskenop/blender-mcp/commit/5b37be25242e73dc4cf1328974d30458b9e5d67e github.com: https://github.com/ahujasid/blender-mcp/

Credits

🔍 skywings (VulDB User)