Description
A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-24
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from unsanitized manipulation of the baseURL argument in the Model Provider API route. By supplying a crafted URL, an attacker can cause the server to send outbound requests to arbitrary destinations, potentially accessing internal resources or exfiltrating data. The flaw allows remote exploitation and an exploit has already been published and may be used.

Affected Systems

ItzCrazyKns Vane versions up to 1.12.1 are affected. The issue occurs in the file src/app/api/providers/route.ts of the component Model Provider API.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Although the EPSS score is not available, the public availability of the exploit suggests a realistic threat. The attack vector is remote HTTP access to the API route and requires no local privileges. The flaw is not listed in the CISA KEV catalog, but the documented exploit warrants immediate attention.

Generated by OpenCVE AI on May 24, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vane to a version beyond 1.12.1 where the SSRF issue is resolved.
  • If an update cannot be applied immediately, restrict external access to the Model Provider API endpoint using network firewalls or access controls to limit exposure to trusted sources.
  • Add request validation to the baseURL parameter so that only permitted domains or patterns are accepted, thereby preventing malicious SSRF requests.

Generated by OpenCVE AI on May 24, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title ItzCrazyKns Vane Model Provider API route.ts server-side request forgery
First Time appeared Itzcrazykns
Itzcrazykns vane
Weaknesses CWE-918
CPEs cpe:2.3:a:itzcrazykns:vane:*:*:*:*:*:*:*:*
Vendors & Products Itzcrazykns
Itzcrazykns vane
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itzcrazykns Vane
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T10:00:18.239Z

Reserved: 2026-05-23T14:01:38.737Z

Link: CVE-2026-9372

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T11:30:25Z

Weaknesses