CVE-2026-9372
HIGHItzCrazyKns Vane Model Provider API route.ts server-side request forgery
Title source: cnaDescription
A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-365336 | ItzCrazyKns Vane Model Provider API route.ts server-side request forgery
https://vuldb.com/vuln/365336
Signature, Permissions Required signature
permissions-required
VDB-365336 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/365336/cti
Third Party Advisory third-party-advisory
Submit #813211 | ItzCrazyKns Vane 1.12.1 SSRF via Model Provider baseURL
https://vuldb.com/submit/813211
Exploit exploit
issue-tracking
https://github.com/ItzCrazyKns/Vane/issues/1124
Product product
https://github.com/ItzCrazyKns/Vane/
Scores
CVSS v3
7.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Details
CWE
CWE-918
Status
published
Products (2)
ItzCrazyKns/Vane
1.12.0
ItzCrazyKns/Vane
1.12.1
Published
May 24, 2026
Tracked Since
May 24, 2026