HIGH
oraios
CVE published 2026-07-07
CVE-2026-49471
The CVE record for CVE-2026-49471 was published on 2026-07-07T21:17:25.833Z. Serena, a powerful MCP toolkit for coding, has a built-in web dashboard that exposes an unauthenticated Flask API on a fixed, predictable port. This API has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack can be used to reach this API from any browser and write arbitrary content to the [truncated]