CVE-2026-7223

HIGH

BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery

Title source: cna
STIX 2.1

Description

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

Core 5
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-359823 | BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery
https://vuldb.com/vuln/359823
Signature, Permissions Required signature permissions-required
VDB-359823 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/359823/cti
Third Party Advisory third-party-advisory
Submit #802265 | BigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgery
https://vuldb.com/submit/802265

Scores

CVSS v3 7.3
EPSS 0.0028
EPSS Percentile 19.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (50)
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.0
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.1
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.10
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.11
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.12
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.13
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.14
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.15
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.16
BigSweetPotatoStudio/HyperChat 2.0.0-alpha.17
... and 40 more
Published Apr 28, 2026
Tracked Since Apr 28, 2026