A vulnerability, which was classified as critical , was found in horizon921 mcpilot 0.1.0 . The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint . The manipulation of the argument serverBaseUrl results in server-side request forgery. This vulnerability is reported as CVE-2026-10280 . The attack can be launched remotely. Moreover, an exploit is present. The project was informed of the problem early through an issue rep