A vulnerability labeled as critical has been found in wonderwhy-er DesktopCommanderMCP 0.2.37 . This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file . Such manipulation of the argument url leads to server-side request forgery. This vulnerability is listed as CVE-2026-10690 . The attack may be performed from remote. In addition, an exploit is available. It is best practice to apply a patch to resolve this issue.