{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7178", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-27T08:16:05.917Z", "datePublished": "2026-04-27T22:00:20.342Z", "dateUpdated": "2026-04-28T14:01:44.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T22:00:20.342Z"}, "title": "ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "ChatGPTNextWeb", "product": "NextChat", "versions": [{"version": "2.16.0", "status": "affected"}, {"version": "2.16.1", "status": "affected"}], "modules": ["Artifacts Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-27T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-27T10:21:14.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-b (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359780", "name": "VDB-359780 | ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359780/cti", "name": "VDB-359780 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/797646", "name": "Submit #797646 | nextchat <= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ChatGPTNextWeb/NextChat/issues/6741", "tags": ["issue-tracking"]}, {"url": "https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5", "tags": ["exploit"]}, {"url": "https://github.com/ChatGPTNextWeb/NextChat/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:01:30.983014Z", "id": "CVE-2026-7178", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:01:44.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7178", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:01:30.983014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:01:39.270Z"}}], "cna": {"title": "ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-b (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "ChatGPTNextWeb", "modules": ["Artifacts Endpoint"], "product": "NextChat", "versions": [{"status": "affected", "version": "2.16.0"}, {"status": "affected", "version": "2.16.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-27T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-27T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-27T10:21:14.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359780", "name": "VDB-359780 | ChatGPTNextWeb NextChat Artifacts Endpoint route.ts storeUrl server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359780/cti", "name": "VDB-359780 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/797646", "name": "Submit #797646 | nextchat <= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ChatGPTNextWeb/NextChat/issues/6741", "tags": ["issue-tracking"]}, {"url": "https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5", "tags": ["exploit"]}, {"url": "https://github.com/ChatGPTNextWeb/NextChat/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T22:00:20.342Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7178", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:01:44.043Z", "dateReserved": "2026-04-27T08:16:05.917Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T22:00:20.342Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextchat:nextchat:2.16.0:*:*:*:*:*:*:*", "matchCriteriaId": "A9914C8A-D623-470F-AB08-22AB34A87D4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextchat:nextchat:2.16.1:*:*:*:*:*:*:*", "matchCriteriaId": "C07942DD-696B-4AE6-BD2F-87ECBF749E92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-7178", "lastModified": "2026-04-30T19:26:52.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T22:16:19.050", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/ChatGPTNextWeb/NextChat/"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/ChatGPTNextWeb/NextChat/issues/6741"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/submit/797646"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/vuln/359780"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/vuln/359780/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.16.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.16.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NextChat", "source": "cna", "vendor": "ChatGPTNextWeb"}, "product": "nextchat", "vendor": "chatgptnextweb"}], "analysis": {"en": {"generated_at": "2026-04-28T19:38:45.745642+00:00", "value": {"mitigation_remediation": ["Upgrade NextChat to the latest released version once the vendor fixes the SSRF flaw.", "If an upgrade is not possible, disable or remove the Artifacts Endpoint route and eliminate the storeUrl functionality from the API surface.", "Implement network segmentation or firewall rules that block the application\u2019s outbound traffic to untrusted domains, limiting the scope of potential SSRF exploitation."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery (SSRF)"}, "threat_synthesis": {"affected_systems": "ChatGPTNextWeb NextChat, current releases up to version 2.16.1. The issue is limited to the artifcets API endpoint and affects all deployments that include the default storeUrl function without additional safeguards.", "description_and_impact": "The vulnerability is a server\u2011side request forgery flaw in the storeUrl function of the Artifacts Endpoint route, where a crafted ID parameter can cause the server to perform outgoing HTTP requests to arbitrary URLs. This allows an attacker to retrieve internal resources, exfiltrate sensitive data, or interact with external services on behalf of the server. The weakness is CWE-918, which indicates misuse of untrusted user input in network requests. The impact includes potential compromise of confidentiality, integrity, and availability of the underlying infrastructure as the attacker can force the application to contact any network target.", "risk_and_exploitability": "The CVSS score of 6.9 classifies the vulnerability as Moderate, but the public availability of an exploit and the lack of a verified patch increase the practical risk for actively running systems. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, yet the attack can be initiated remotely with the supplied payload. Administrators should treat this as a high\u2011priority issue until a corrective release is issued."}}}}, "created": "2026-04-28T09:16:50.010941+00:00", "updated": "2026-04-28T19:45:07.594695+00:00", "vendors": ["chatgptnextweb", "chatgptnextweb$PRODUCT$nextchat"]}