CVE-2026-14748: SSRF in the mcp-wiki Server Disclosed July 5
TheHackerWire·medium signal
CVE-2026-14748, disclosed July 5, is a server-side request forgery in the mcp-wiki server component, exploitable by manipulating a URL argument to make the server issue attacker-controlled requests. It lands amid a broader wave of MCP CVEs and reinforces that community MCP servers frequently trust caller-supplied URLs without validation. Anyone running mcp-wiki or similar fetch-style MCP servers should pin versions and add egress/allowlist controls.