Uni-CLI Vulnerability: Legacy HTTP MCP Transport Accepts Browser-Originated Localhost Requests
A vulnerability in Uni-CLI versions before 0.225.2 allows a malicious web page to send CORS simple POST requests to the local /mcp endpoint, potentially driving tools/call requests against the user's local Uni-CLI server. The issue has a CVSS score of 8.6 and is classified as high severity. To mitigate, upgrade to version 0.225.2 or later.