Vendor
A server-side request forgery vulnerability (CVE-2026-6604) exists in modelscope agentscope up to version 1.0.18, allowing remote attackers to manipulate the image_url or audio_file_url arguments to perform SSRF attacks via the Cloud Metadata Endpoint component.