Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVE-2026-7147 (GCVE-0-2026-7147)
Vulnerability from cvelistv5 – Published: 2026-04-27 18:15 – Updated: 2026-04-27 19:30
VLAI
Title
JoeCastrom mcp-chat-studio LLM Models API llm.js server-side request forgery
Summary
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359746 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359746/cti | signaturepermissions-required |
| https://vuldb.com/submit/801896 | third-party-advisory |
| https://github.com/JoeCastrom/mcp-chat-studio/issues/4 | exploitissue-tracking |
| https://github.com/JoeCastrom/mcp-chat-studio/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| JoeCastrom | mcp-chat-studio |
Affected:
1.0
Affected: 1.1 Affected: 1.2 Affected: 1.3 Affected: 1.4 Affected: 1.5.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7147",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T19:30:02.495131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T19:30:13.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"LLM Models API"
],
"product": "mcp-chat-studio",
"vendor": "JoeCastrom",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "1.1"
},
{
"status": "affected",
"version": "1.2"
},
{
"status": "affected",
"version": "1.3"
},
{
"status": "affected",
"version": "1.4"
},
{
"status": "affected",
"version": "1.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "MidA (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T18:15:15.510Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359746 | JoeCastrom mcp-chat-studio LLM Models API llm.js server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359746"
},
{
"name": "VDB-359746 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359746/cti"
},
{
"name": "Submit #801896 | JoeCastrom mcp-chat-studio 1.5.0 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/801896"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/JoeCastrom/mcp-chat-studio/issues/4"
},
{
"tags": [
"product"
],
"url": "https://github.com/JoeCastrom/mcp-chat-studio/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T22:04:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "JoeCastrom mcp-chat-studio LLM Models API llm.js server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7147",
"datePublished": "2026-04-27T18:15:15.510Z",
"dateReserved": "2026-04-26T19:58:59.072Z",
"dateUpdated": "2026-04-27T19:30:13.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7150 (GCVE-0-2026-7150)
Vulnerability from cvelistv5 – Published: 2026-04-27 19:00 – Updated: 2026-04-28 14:19
VLAI
Title
dh1011 auto-favicon MCP Tool server.py generate_favicon_from_url server-side request forgery
Summary
A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359749 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359749/cti | signaturepermissions-required |
| https://vuldb.com/submit/802054 | third-party-advisory |
| https://github.com/dh1011/auto-favicon-mcp/issues/2 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dh1011 | auto-favicon |
Affected:
f189116a9259950c2393f114dbcb94dde0ad864b
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T14:19:06.528951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:19:17.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"MCP Tool"
],
"product": "auto-favicon",
"vendor": "dh1011",
"versions": [
{
"status": "affected",
"version": "f189116a9259950c2393f114dbcb94dde0ad864b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "MidA (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T19:00:14.777Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359749 | dh1011 auto-favicon MCP Tool server.py generate_favicon_from_url server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359749"
},
{
"name": "VDB-359749 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359749/cti"
},
{
"name": "Submit #802054 | dh1011 auto-favicon 1.0.1 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/802054"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/dh1011/auto-favicon-mcp/issues/2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T22:08:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "dh1011 auto-favicon MCP Tool server.py generate_favicon_from_url server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7150",
"datePublished": "2026-04-27T19:00:14.777Z",
"dateReserved": "2026-04-26T20:03:47.765Z",
"dateUpdated": "2026-04-28T14:19:17.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7158 (GCVE-0-2026-7158)
Vulnerability from cvelistv5 – Published: 2026-04-27 21:00 – Updated: 2026-04-28 15:00
VLAI
Title
dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery
Summary
A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359757 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359757/cti | signaturepermissions-required |
| https://vuldb.com/submit/802062 | third-party-advisory |
| https://github.com/dmitryglhf/url-download-mcp/issues/2 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dmitryglhf | mcp-url-downloader |
Affected:
4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7158",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T14:59:11.087083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T15:00:55.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mcp-url-downloader",
"vendor": "dmitryglhf",
"versions": [
{
"status": "affected",
"version": "4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "SmallW (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T21:00:17.311Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359757 | dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359757"
},
{
"name": "VDB-359757 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359757/cti"
},
{
"name": "Submit #802062 | dmitryglhf mcp-url-downloader 0.1.0 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/802062"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/dmitryglhf/url-download-mcp/issues/2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T22:17:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "dmitryglhf mcp-url-downloader server.py _validate_url_safe server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7158",
"datePublished": "2026-04-27T21:00:17.311Z",
"dateReserved": "2026-04-26T20:12:54.993Z",
"dateUpdated": "2026-04-28T15:00:55.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7177 (GCVE-0-2026-7177)
Vulnerability from cvelistv5 – Published: 2026-04-27 21:45 – Updated: 2026-04-28 14:47
VLAI
Title
ChatGPTNextWeb NextChat route.ts proxyHandler server-side request forgery
Summary
A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359779 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359779/cti | signaturepermissions-required |
| https://vuldb.com/submit/797645 | third-party-advisory |
| https://github.com/ChatGPTNextWeb/NextChat/issues/6742 | issue-tracking |
| https://gist.github.com/YLChen-007/da6b00024f5b7e… | exploit |
| https://github.com/ChatGPTNextWeb/NextChat/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ChatGPTNextWeb | NextChat |
Affected:
2.16.0
Affected: 2.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7177",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T14:47:49.679157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:47:57.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NextChat",
"vendor": "ChatGPTNextWeb",
"versions": [
{
"status": "affected",
"version": "2.16.0"
},
{
"status": "affected",
"version": "2.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-b (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T21:45:15.349Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359779 | ChatGPTNextWeb NextChat route.ts proxyHandler server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359779"
},
{
"name": "VDB-359779 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359779/cti"
},
{
"name": "Submit #797645 | nextchat \u003c= 2.16.1 Server-Side Request Forgery / SSRF (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797645"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/ChatGPTNextWeb/NextChat/issues/6742"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/da6b00024f5b7e1d4fa0658c19b77fbf"
},
{
"tags": [
"product"
],
"url": "https://github.com/ChatGPTNextWeb/NextChat/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-27T10:21:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "ChatGPTNextWeb NextChat route.ts proxyHandler server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7177",
"datePublished": "2026-04-27T21:45:15.349Z",
"dateReserved": "2026-04-27T08:15:58.463Z",
"dateUpdated": "2026-04-28T14:47:57.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7178 (GCVE-0-2026-7178)
Vulnerability from cvelistv5 – Published: 2026-04-27 22:00 – Updated: 2026-04-28 14:01
VLAI
Title
ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery
Summary
A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359780 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359780/cti | signaturepermissions-required |
| https://vuldb.com/submit/797646 | third-party-advisory |
| https://github.com/ChatGPTNextWeb/NextChat/issues/6741 | issue-tracking |
| https://gist.github.com/YLChen-007/43252d45d75e8b… | exploit |
| https://github.com/ChatGPTNextWeb/NextChat/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ChatGPTNextWeb | NextChat |
Affected:
2.16.0
Affected: 2.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7178",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T14:01:30.983014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:01:44.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Artifacts Endpoint"
],
"product": "NextChat",
"vendor": "ChatGPTNextWeb",
"versions": [
{
"status": "affected",
"version": "2.16.0"
},
{
"status": "affected",
"version": "2.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-b (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T22:00:20.342Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359780 | ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359780"
},
{
"name": "VDB-359780 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359780/cti"
},
{
"name": "Submit #797646 | nextchat \u003c= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797646"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/ChatGPTNextWeb/NextChat/issues/6741"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5"
},
{
"tags": [
"product"
],
"url": "https://github.com/ChatGPTNextWeb/NextChat/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-27T10:21:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7178",
"datePublished": "2026-04-27T22:00:20.342Z",
"dateReserved": "2026-04-27T08:16:05.917Z",
"dateUpdated": "2026-04-28T14:01:44.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7221 (GCVE-0-2026-7221)
Vulnerability from cvelistv5 – Published: 2026-04-28 03:30 – Updated: 2026-04-28 14:34 X_Open Source
VLAI
Title
TencentCloudBase CloudBase-MCP open-url API Endpoint interactive-server.ts openUrl server-side request forgery
Summary
A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2.17.1 is able to address this issue. The patch is identified as 3f678a1e7bd400cd76469d61024097d4920dc6b5. It is recommended to upgrade the affected component.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359821 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359821/cti | signaturepermissions-required |
| https://vuldb.com/submit/802230 | third-party-advisory |
| https://github.com/TencentCloudBase/CloudBase-MCP… | exploitissue-tracking |
| https://github.com/TencentCloudBase/CloudBase-MCP… | issue-trackingpatch |
| https://github.com/TencentCloudBase/CloudBase-MCP… | patch |
| https://github.com/TencentCloudBase/CloudBase-MCP… | patch |
| https://github.com/TencentCloudBase/CloudBase-MCP/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TencentCloudBase | CloudBase-MCP |
Affected:
2.0
Affected: 2.1 Affected: 2.2 Affected: 2.3 Affected: 2.4 Affected: 2.5 Affected: 2.6 Affected: 2.7 Affected: 2.8 Affected: 2.9 Affected: 2.10 Affected: 2.11 Affected: 2.12 Affected: 2.13 Affected: 2.14 Affected: 2.15 Affected: 2.16 Affected: 2.17.0 Unaffected: 2.17.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7221",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:59:37.594891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:34:11.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"open-url API Endpoint"
],
"product": "CloudBase-MCP",
"vendor": "TencentCloudBase",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.3"
},
{
"status": "affected",
"version": "2.4"
},
{
"status": "affected",
"version": "2.5"
},
{
"status": "affected",
"version": "2.6"
},
{
"status": "affected",
"version": "2.7"
},
{
"status": "affected",
"version": "2.8"
},
{
"status": "affected",
"version": "2.9"
},
{
"status": "affected",
"version": "2.10"
},
{
"status": "affected",
"version": "2.11"
},
{
"status": "affected",
"version": "2.12"
},
{
"status": "affected",
"version": "2.13"
},
{
"status": "affected",
"version": "2.14"
},
{
"status": "affected",
"version": "2.15"
},
{
"status": "affected",
"version": "2.16"
},
{
"status": "affected",
"version": "2.17.0"
},
{
"status": "unaffected",
"version": "2.17.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BruceJin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2.17.1 is able to address this issue. The patch is identified as 3f678a1e7bd400cd76469d61024097d4920dc6b5. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T03:30:19.669Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359821 | TencentCloudBase CloudBase-MCP open-url API Endpoint interactive-server.ts openUrl server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359821"
},
{
"name": "VDB-359821 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359821/cti"
},
{
"name": "Submit #802230 | TencentCloudBase CloudBase-MCP 2.16.1 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/802230"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/TencentCloudBase/CloudBase-MCP/issues/509"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/TencentCloudBase/CloudBase-MCP/pull/510"
},
{
"tags": [
"patch"
],
"url": "https://github.com/TencentCloudBase/CloudBase-MCP/commit/3f678a1e7bd400cd76469d61024097d4920dc6b5"
},
{
"tags": [
"patch"
],
"url": "https://github.com/TencentCloudBase/CloudBase-MCP/releases/tag/v2.17.1"
},
{
"tags": [
"product"
],
"url": "https://github.com/TencentCloudBase/CloudBase-MCP/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-27T17:40:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "TencentCloudBase CloudBase-MCP open-url API Endpoint interactive-server.ts openUrl server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7221",
"datePublished": "2026-04-28T03:30:19.669Z",
"dateReserved": "2026-04-27T15:35:08.733Z",
"dateUpdated": "2026-04-28T14:34:11.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7223 (GCVE-0-2026-7223)
Vulnerability from cvelistv5 – Published: 2026-04-28 04:00 – Updated: 2026-04-28 12:42
VLAI
Title
BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery
Summary
A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359823 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359823/cti | signaturepermissions-required |
| https://vuldb.com/submit/802265 | third-party-advisory |
| https://github.com/BigSweetPotatoStudio/HyperChat… | exploitissue-tracking |
| https://github.com/BigSweetPotatoStudio/HyperChat/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BigSweetPotatoStudio | HyperChat |
Affected:
2.0.0-alpha.0
Affected: 2.0.0-alpha.1 Affected: 2.0.0-alpha.2 Affected: 2.0.0-alpha.3 Affected: 2.0.0-alpha.4 Affected: 2.0.0-alpha.5 Affected: 2.0.0-alpha.6 Affected: 2.0.0-alpha.7 Affected: 2.0.0-alpha.8 Affected: 2.0.0-alpha.9 Affected: 2.0.0-alpha.10 Affected: 2.0.0-alpha.11 Affected: 2.0.0-alpha.12 Affected: 2.0.0-alpha.13 Affected: 2.0.0-alpha.14 Affected: 2.0.0-alpha.15 Affected: 2.0.0-alpha.16 Affected: 2.0.0-alpha.17 Affected: 2.0.0-alpha.18 Affected: 2.0.0-alpha.19 Affected: 2.0.0-alpha.20 Affected: 2.0.0-alpha.21 Affected: 2.0.0-alpha.22 Affected: 2.0.0-alpha.23 Affected: 2.0.0-alpha.24 Affected: 2.0.0-alpha.25 Affected: 2.0.0-alpha.26 Affected: 2.0.0-alpha.27 Affected: 2.0.0-alpha.28 Affected: 2.0.0-alpha.29 Affected: 2.0.0-alpha.30 Affected: 2.0.0-alpha.31 Affected: 2.0.0-alpha.32 Affected: 2.0.0-alpha.33 Affected: 2.0.0-alpha.34 Affected: 2.0.0-alpha.35 Affected: 2.0.0-alpha.36 Affected: 2.0.0-alpha.37 Affected: 2.0.0-alpha.38 Affected: 2.0.0-alpha.39 Affected: 2.0.0-alpha.40 Affected: 2.0.0-alpha.41 Affected: 2.0.0-alpha.42 Affected: 2.0.0-alpha.43 Affected: 2.0.0-alpha.44 Affected: 2.0.0-alpha.45 Affected: 2.0.0-alpha.46 Affected: 2.0.0-alpha.47 Affected: 2.0.0-alpha.48 Affected: 2.0.0-alpha.49 Affected: 2.0.0-alpha.50 Affected: 2.0.0-alpha.51 Affected: 2.0.0-alpha.52 Affected: 2.0.0-alpha.53 Affected: 2.0.0-alpha.54 Affected: 2.0.0-alpha.55 Affected: 2.0.0-alpha.56 Affected: 2.0.0-alpha.57 Affected: 2.0.0-alpha.58 Affected: 2.0.0-alpha.59 Affected: 2.0.0-alpha.60 Affected: 2.0.0-alpha.61 Affected: 2.0.0-alpha.62 Affected: 2.0.0-alpha.63 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T12:40:43.378244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:42:17.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"AI Proxy Middleware"
],
"product": "HyperChat",
"vendor": "BigSweetPotatoStudio",
"versions": [
{
"status": "affected",
"version": "2.0.0-alpha.0"
},
{
"status": "affected",
"version": "2.0.0-alpha.1"
},
{
"status": "affected",
"version": "2.0.0-alpha.2"
},
{
"status": "affected",
"version": "2.0.0-alpha.3"
},
{
"status": "affected",
"version": "2.0.0-alpha.4"
},
{
"status": "affected",
"version": "2.0.0-alpha.5"
},
{
"status": "affected",
"version": "2.0.0-alpha.6"
},
{
"status": "affected",
"version": "2.0.0-alpha.7"
},
{
"status": "affected",
"version": "2.0.0-alpha.8"
},
{
"status": "affected",
"version": "2.0.0-alpha.9"
},
{
"status": "affected",
"version": "2.0.0-alpha.10"
},
{
"status": "affected",
"version": "2.0.0-alpha.11"
},
{
"status": "affected",
"version": "2.0.0-alpha.12"
},
{
"status": "affected",
"version": "2.0.0-alpha.13"
},
{
"status": "affected",
"version": "2.0.0-alpha.14"
},
{
"status": "affected",
"version": "2.0.0-alpha.15"
},
{
"status": "affected",
"version": "2.0.0-alpha.16"
},
{
"status": "affected",
"version": "2.0.0-alpha.17"
},
{
"status": "affected",
"version": "2.0.0-alpha.18"
},
{
"status": "affected",
"version": "2.0.0-alpha.19"
},
{
"status": "affected",
"version": "2.0.0-alpha.20"
},
{
"status": "affected",
"version": "2.0.0-alpha.21"
},
{
"status": "affected",
"version": "2.0.0-alpha.22"
},
{
"status": "affected",
"version": "2.0.0-alpha.23"
},
{
"status": "affected",
"version": "2.0.0-alpha.24"
},
{
"status": "affected",
"version": "2.0.0-alpha.25"
},
{
"status": "affected",
"version": "2.0.0-alpha.26"
},
{
"status": "affected",
"version": "2.0.0-alpha.27"
},
{
"status": "affected",
"version": "2.0.0-alpha.28"
},
{
"status": "affected",
"version": "2.0.0-alpha.29"
},
{
"status": "affected",
"version": "2.0.0-alpha.30"
},
{
"status": "affected",
"version": "2.0.0-alpha.31"
},
{
"status": "affected",
"version": "2.0.0-alpha.32"
},
{
"status": "affected",
"version": "2.0.0-alpha.33"
},
{
"status": "affected",
"version": "2.0.0-alpha.34"
},
{
"status": "affected",
"version": "2.0.0-alpha.35"
},
{
"status": "affected",
"version": "2.0.0-alpha.36"
},
{
"status": "affected",
"version": "2.0.0-alpha.37"
},
{
"status": "affected",
"version": "2.0.0-alpha.38"
},
{
"status": "affected",
"version": "2.0.0-alpha.39"
},
{
"status": "affected",
"version": "2.0.0-alpha.40"
},
{
"status": "affected",
"version": "2.0.0-alpha.41"
},
{
"status": "affected",
"version": "2.0.0-alpha.42"
},
{
"status": "affected",
"version": "2.0.0-alpha.43"
},
{
"status": "affected",
"version": "2.0.0-alpha.44"
},
{
"status": "affected",
"version": "2.0.0-alpha.45"
},
{
"status": "affected",
"version": "2.0.0-alpha.46"
},
{
"status": "affected",
"version": "2.0.0-alpha.47"
},
{
"status": "affected",
"version": "2.0.0-alpha.48"
},
{
"status": "affected",
"version": "2.0.0-alpha.49"
},
{
"status": "affected",
"version": "2.0.0-alpha.50"
},
{
"status": "affected",
"version": "2.0.0-alpha.51"
},
{
"status": "affected",
"version": "2.0.0-alpha.52"
},
{
"status": "affected",
"version": "2.0.0-alpha.53"
},
{
"status": "affected",
"version": "2.0.0-alpha.54"
},
{
"status": "affected",
"version": "2.0.0-alpha.55"
},
{
"status": "affected",
"version": "2.0.0-alpha.56"
},
{
"status": "affected",
"version": "2.0.0-alpha.57"
},
{
"status": "affected",
"version": "2.0.0-alpha.58"
},
{
"status": "affected",
"version": "2.0.0-alpha.59"
},
{
"status": "affected",
"version": "2.0.0-alpha.60"
},
{
"status": "affected",
"version": "2.0.0-alpha.61"
},
{
"status": "affected",
"version": "2.0.0-alpha.62"
},
{
"status": "affected",
"version": "2.0.0-alpha.63"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BruceJin (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T04:00:15.598Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359823 | BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359823"
},
{
"name": "VDB-359823 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359823/cti"
},
{
"name": "Submit #802265 | BigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/802265"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/BigSweetPotatoStudio/HyperChat/issues/142"
},
{
"tags": [
"product"
],
"url": "https://github.com/BigSweetPotatoStudio/HyperChat/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-27T17:43:53.000Z",
"value": "VulDB entry last update"
}
],
"title": "BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7223",
"datePublished": "2026-04-28T04:00:15.598Z",
"dateReserved": "2026-04-27T15:38:49.324Z",
"dateUpdated": "2026-04-28T12:42:17.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7253 (GCVE-0-2026-7253)
Vulnerability from cvelistv5 – Published: 2026-06-22 15:21 – Updated: 2026-06-23 13:43
VLAI
Title
IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway
Summary
IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway, due to a flaw which may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks [GHSA-rr7j-v2q5-chgv] [CVE-2026-7253]. IBM Sterling File Gateway is used in our speech runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side request forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | IBM Watson Speech Services Cartridge |
Affected:
4.0.0 , ≤ 5.3.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:43:05.352436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:43:20.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IBM Watson Speech Services Cartridge",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.3.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:ibm_watson_speech_services_cartridge:*:*:*:*:*:*:*:*",
"versionEndIncluding": "5.3.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway, due to a flaw which may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks [GHSA-rr7j-v2q5-chgv] [CVE-2026-7253]. IBM Sterling File Gateway is used in our speech runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below."
}
],
"value": "IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway, due to a flaw which may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks [GHSA-rr7j-v2q5-chgv] [CVE-2026-7253]. IBM Sterling File Gateway is used in our speech runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side request forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:21:25.434Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7276994"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eProduct(s)\u003c/td\u003e\u003ctd\u003eVersion(s)\u003c/td\u003e\u003ctd\u003eRemediation/Fix/Instructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Watson Speech Services Cartridge\u003c/td\u003e\u003ctd\u003e5.4\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe fix in v5.4\u0026nbsp; applies to all versions listed (4.0.0-5.3.1). The newest version, 5.4 can be downloaded and installed from:\u003cbr\u003e\u003ca href=\"https://www.ibm.com/docs/en/cloud-paks/cp-data\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/cloud-paks/cp-data\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eProduct(s)\u003c/td\u003e\u003ctd\u003eVersion(s)\u003c/td\u003e\u003ctd\u003eRemediation/Fix/Instructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Watson Speech Services Cartridge\u003c/td\u003e\u003ctd\u003e5.3.1 Patch 7\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe fix in 5.3.1 Patch 7\u0026nbsp; applies to all versions listed (4.0.0-5.3.1). The newest version of 5.3.1 with the included Patch 7 can be downloaded and installed from:\u003cbr\u003e\u003ca href=\"https://www.ibm.com/docs/en/cloud-paks/cp-data/5.3.x\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/cloud-paks/cp-data/5.3.x\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e"
}
],
"value": "Product(s)Version(s)Remediation/Fix/InstructionsIBM Watson Speech Services Cartridge5.4\u00a0The fix in v5.4\u00a0 applies to all versions listed (4.0.0-5.3.1). The newest version, 5.4 can be downloaded and installed from:\n https://www.ibm.com/docs/en/cloud-paks/cp-data \n\n\n\n\n\n\n\n\n\n\n\n\u00a0\n\nProduct(s)Version(s)Remediation/Fix/InstructionsIBM Watson Speech Services Cartridge5.3.1 Patch 7\u00a0The fix in 5.3.1 Patch 7\u00a0 applies to all versions listed (4.0.0-5.3.1). The newest version of 5.3.1 with the included Patch 7 can be downloaded and installed from:\n https://www.ibm.com/docs/en/cloud-paks/cp-data/5.3.x"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-7253",
"datePublished": "2026-06-22T15:21:25.434Z",
"dateReserved": "2026-04-27T22:02:11.814Z",
"dateUpdated": "2026-06-23T13:43:20.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7291 (GCVE-0-2026-7291)
Vulnerability from cvelistv5 – Published: 2026-04-28 17:15 – Updated: 2026-04-28 18:34
VLAI
Title
o2oa URL Fetching FileAction.java FileAction server-side request forgery
Summary
A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359951 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359951/cti | signaturepermissions-required |
| https://vuldb.com/submit/803073 | third-party-advisory |
| https://github.com/o2oa/o2oa/issues/195 | exploitissue-tracking |
| https://github.com/o2oa/o2oa/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T18:34:41.772303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T18:34:51.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"URL Fetching"
],
"product": "o2oa",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "10.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "larlarua (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T17:15:11.154Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359951 | o2oa URL Fetching FileAction.java FileAction server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359951"
},
{
"name": "VDB-359951 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359951/cti"
},
{
"name": "Submit #803073 | o2oa https://github.com/o2oa/o2oa 10.0 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/803073"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/o2oa/o2oa/issues/195"
},
{
"tags": [
"product"
],
"url": "https://github.com/o2oa/o2oa/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-28T12:26:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "o2oa URL Fetching FileAction.java FileAction server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7291",
"datePublished": "2026-04-28T17:15:11.154Z",
"dateReserved": "2026-04-28T10:20:47.645Z",
"dateUpdated": "2026-04-28T18:34:51.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7305 (GCVE-0-2026-7305)
Vulnerability from cvelistv5 – Published: 2026-04-28 19:15 – Updated: 2026-04-29 13:09 Disputed
VLAI
Title
Xuxueli xxl-job trigger Endpoint XxlJobServiceImpl.java triggerJob server-side request forgery
Summary
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359960 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359960/cti | signaturepermissions-required |
| https://vuldb.com/submit/803076 | third-party-advisory |
| https://github.com/xuxueli/xxl-job/issues/3935 | exploitissue-tracking |
| https://github.com/xuxueli/xxl-job/pull/3937 | issue-trackingpatch |
| https://github.com/xuxueli/xxl-job/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T13:09:36.238444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:09:52.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"
],
"modules": [
"trigger Endpoint"
],
"product": "xxl-job",
"vendor": "Xuxueli",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "larlarua (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): \"Triggers are manually activated and involve login and access control, thus requiring management.\" The pull request by the researcher got rejected because of that."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T19:15:13.287Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359960 | Xuxueli xxl-job trigger Endpoint XxlJobServiceImpl.java triggerJob server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359960"
},
{
"name": "VDB-359960 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359960/cti"
},
{
"name": "Submit #803076 | xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/803076"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/xuxueli/xxl-job/issues/3935"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/xuxueli/xxl-job/pull/3937"
},
{
"tags": [
"product"
],
"url": "https://github.com/xuxueli/xxl-job/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-28T13:50:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "Xuxueli xxl-job trigger Endpoint XxlJobServiceImpl.java triggerJob server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7305",
"datePublished": "2026-04-28T19:15:13.287Z",
"dateReserved": "2026-04-28T11:45:12.858Z",
"dateUpdated": "2026-04-29T13:09:52.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.