CVE-2026-9372: Server-Side Request Forgery in ItzCrazyKns Vane
CVE-2026-9372 is a server-side request forgery (SSRF) vulnerability in ItzCrazyKns Vane versions up to 1. 12. 1. The flaw exists in the Model Provider API component, specifically in the src/app/api/providers/route. ts file, where manipulation of the baseURL argument can lead to SSRF. Remote exploitation is possible, and a public exploit has been published. The vendor has been informed but has not yet responded or provided a fix. The vulnerability has a CVSS 4. 0 score of 6. 9, indicating medium severity.
AI Analysis
Technical Summary
This vulnerability in ItzCrazyKns Vane (up to version 1.12.1) allows an attacker to perform server-side request forgery by manipulating the baseURL parameter in the Model Provider API's route.ts file. This can cause the server to make unintended requests, potentially exposing internal resources or services. The issue is confirmed and publicly disclosed, with an exploit available. No official remediation or patch has been released by the vendor as of the publication date.
Potential Impact
Successful exploitation allows an unauthenticated remote attacker to induce the vulnerable server to make arbitrary HTTP requests. This can lead to information disclosure or interaction with internal systems not otherwise accessible. The medium CVSS score reflects the potential for partial impact on confidentiality, integrity, and availability, but no direct evidence of widespread exploitation or critical impact is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or issued a fix, users should consider implementing network-level controls to restrict outbound requests from the affected service and monitor for suspicious activity related to the baseURL parameter. Avoid exposing the vulnerable API to untrusted networks until a patch is available.
CVE-2026-9372: Server-Side Request Forgery in ItzCrazyKns Vane
Description
CVE-2026-9372 is a server-side request forgery (SSRF) vulnerability in ItzCrazyKns Vane versions up to 1. 12. 1. The flaw exists in the Model Provider API component, specifically in the src/app/api/providers/route. ts file, where manipulation of the baseURL argument can lead to SSRF. Remote exploitation is possible, and a public exploit has been published. The vendor has been informed but has not yet responded or provided a fix. The vulnerability has a CVSS 4. 0 score of 6. 9, indicating medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in ItzCrazyKns Vane (up to version 1.12.1) allows an attacker to perform server-side request forgery by manipulating the baseURL parameter in the Model Provider API's route.ts file. This can cause the server to make unintended requests, potentially exposing internal resources or services. The issue is confirmed and publicly disclosed, with an exploit available. No official remediation or patch has been released by the vendor as of the publication date.
Potential Impact
Successful exploitation allows an unauthenticated remote attacker to induce the vulnerable server to make arbitrary HTTP requests. This can lead to information disclosure or interaction with internal systems not otherwise accessible. The medium CVSS score reflects the potential for partial impact on confidentiality, integrity, and availability, but no direct evidence of widespread exploitation or critical impact is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or issued a fix, users should consider implementing network-level controls to restrict outbound requests from the affected service and monitor for suspicious activity related to the baseURL parameter. Avoid exposing the vulnerable API to untrusted networks until a patch is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-23T14:01:38.737Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a12d38909f6977edb4f91d7
Added to database: 5/24/2026, 10:31:37 AM
Last enriched: 5/24/2026, 10:46:36 AM
Last updated: 5/24/2026, 11:35:54 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.