{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7223", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-27T15:38:49.324Z", "datePublished": "2026-04-28T04:00:15.598Z", "dateUpdated": "2026-04-28T12:42:17.157Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T04:00:15.598Z"}, "title": "BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "BigSweetPotatoStudio", "product": "HyperChat", "versions": [{"version": "2.0.0-alpha.0", "status": "affected"}, {"version": "2.0.0-alpha.1", "status": "affected"}, {"version": "2.0.0-alpha.2", "status": "affected"}, {"version": "2.0.0-alpha.3", "status": "affected"}, {"version": "2.0.0-alpha.4", "status": "affected"}, {"version": "2.0.0-alpha.5", "status": "affected"}, {"version": "2.0.0-alpha.6", "status": "affected"}, {"version": "2.0.0-alpha.7", "status": "affected"}, {"version": "2.0.0-alpha.8", "status": "affected"}, {"version": "2.0.0-alpha.9", "status": "affected"}, {"version": "2.0.0-alpha.10", "status": "affected"}, {"version": "2.0.0-alpha.11", "status": "affected"}, {"version": "2.0.0-alpha.12", "status": "affected"}, {"version": "2.0.0-alpha.13", "status": "affected"}, {"version": "2.0.0-alpha.14", "status": "affected"}, {"version": "2.0.0-alpha.15", "status": "affected"}, {"version": "2.0.0-alpha.16", "status": "affected"}, {"version": "2.0.0-alpha.17", "status": "affected"}, {"version": "2.0.0-alpha.18", "status": "affected"}, {"version": "2.0.0-alpha.19", "status": "affected"}, {"version": "2.0.0-alpha.20", "status": "affected"}, {"version": "2.0.0-alpha.21", "status": "affected"}, {"version": "2.0.0-alpha.22", "status": "affected"}, {"version": "2.0.0-alpha.23", "status": "affected"}, {"version": "2.0.0-alpha.24", "status": "affected"}, {"version": "2.0.0-alpha.25", "status": "affected"}, {"version": "2.0.0-alpha.26", "status": "affected"}, {"version": "2.0.0-alpha.27", "status": "affected"}, {"version": "2.0.0-alpha.28", "status": "affected"}, {"version": "2.0.0-alpha.29", "status": "affected"}, {"version": "2.0.0-alpha.30", "status": "affected"}, {"version": "2.0.0-alpha.31", "status": "affected"}, {"version": "2.0.0-alpha.32", "status": "affected"}, {"version": "2.0.0-alpha.33", "status": "affected"}, {"version": "2.0.0-alpha.34", "status": "affected"}, {"version": "2.0.0-alpha.35", "status": "affected"}, {"version": "2.0.0-alpha.36", "status": "affected"}, {"version": "2.0.0-alpha.37", "status": "affected"}, {"version": "2.0.0-alpha.38", "status": "affected"}, {"version": "2.0.0-alpha.39", "status": "affected"}, {"version": "2.0.0-alpha.40", "status": "affected"}, {"version": "2.0.0-alpha.41", "status": "affected"}, {"version": "2.0.0-alpha.42", "status": "affected"}, {"version": "2.0.0-alpha.43", "status": "affected"}, {"version": "2.0.0-alpha.44", "status": "affected"}, {"version": "2.0.0-alpha.45", "status": "affected"}, {"version": "2.0.0-alpha.46", "status": "affected"}, {"version": "2.0.0-alpha.47", "status": "affected"}, {"version": "2.0.0-alpha.48", "status": "affected"}, {"version": "2.0.0-alpha.49", "status": "affected"}, {"version": "2.0.0-alpha.50", "status": "affected"}, {"version": "2.0.0-alpha.51", "status": "affected"}, {"version": "2.0.0-alpha.52", "status": "affected"}, {"version": "2.0.0-alpha.53", "status": "affected"}, {"version": "2.0.0-alpha.54", "status": "affected"}, {"version": "2.0.0-alpha.55", "status": "affected"}, {"version": "2.0.0-alpha.56", "status": "affected"}, {"version": "2.0.0-alpha.57", "status": "affected"}, {"version": "2.0.0-alpha.58", "status": "affected"}, {"version": "2.0.0-alpha.59", "status": "affected"}, {"version": "2.0.0-alpha.60", "status": "affected"}, {"version": "2.0.0-alpha.61", "status": "affected"}, {"version": "2.0.0-alpha.62", "status": "affected"}, {"version": "2.0.0-alpha.63", "status": "affected"}], "modules": ["AI Proxy Middleware"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-27T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-27T17:43:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BruceJin (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359823", "name": "VDB-359823 | BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359823/cti", "name": "VDB-359823 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802265", "name": "Submit #802265 | BigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/BigSweetPotatoStudio/HyperChat/issues/142", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/BigSweetPotatoStudio/HyperChat/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T12:40:43.378244Z", "id": "CVE-2026-7223", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:42:17.157Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7223", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-27T15:38:49.324Z", "datePublished": "2026-04-28T04:00:15.598Z", "dateUpdated": "2026-04-28T12:42:17.157Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T04:00:15.598Z"}, "title": "BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "BigSweetPotatoStudio", "product": "HyperChat", "versions": [{"version": "2.0.0-alpha.0", "status": "affected"}, {"version": "2.0.0-alpha.1", "status": "affected"}, {"version": "2.0.0-alpha.2", "status": "affected"}, {"version": "2.0.0-alpha.3", "status": "affected"}, {"version": "2.0.0-alpha.4", "status": "affected"}, {"version": "2.0.0-alpha.5", "status": "affected"}, {"version": "2.0.0-alpha.6", "status": "affected"}, {"version": "2.0.0-alpha.7", "status": "affected"}, {"version": "2.0.0-alpha.8", "status": "affected"}, {"version": "2.0.0-alpha.9", "status": "affected"}, {"version": "2.0.0-alpha.10", "status": "affected"}, {"version": "2.0.0-alpha.11", "status": "affected"}, {"version": "2.0.0-alpha.12", "status": "affected"}, {"version": "2.0.0-alpha.13", "status": "affected"}, {"version": "2.0.0-alpha.14", "status": "affected"}, {"version": "2.0.0-alpha.15", "status": "affected"}, {"version": "2.0.0-alpha.16", "status": "affected"}, {"version": "2.0.0-alpha.17", "status": "affected"}, {"version": "2.0.0-alpha.18", "status": "affected"}, {"version": "2.0.0-alpha.19", "status": "affected"}, {"version": "2.0.0-alpha.20", "status": "affected"}, {"version": "2.0.0-alpha.21", "status": "affected"}, {"version": "2.0.0-alpha.22", "status": "affected"}, {"version": "2.0.0-alpha.23", "status": "affected"}, {"version": "2.0.0-alpha.24", "status": "affected"}, {"version": "2.0.0-alpha.25", "status": "affected"}, {"version": "2.0.0-alpha.26", "status": "affected"}, {"version": "2.0.0-alpha.27", "status": "affected"}, {"version": "2.0.0-alpha.28", "status": "affected"}, {"version": "2.0.0-alpha.29", "status": "affected"}, {"version": "2.0.0-alpha.30", "status": "affected"}, {"version": "2.0.0-alpha.31", "status": "affected"}, {"version": "2.0.0-alpha.32", "status": "affected"}, {"version": "2.0.0-alpha.33", "status": "affected"}, {"version": "2.0.0-alpha.34", "status": "affected"}, {"version": "2.0.0-alpha.35", "status": "affected"}, {"version": "2.0.0-alpha.36", "status": "affected"}, {"version": "2.0.0-alpha.37", "status": "affected"}, {"version": "2.0.0-alpha.38", "status": "affected"}, {"version": "2.0.0-alpha.39", "status": "affected"}, {"version": "2.0.0-alpha.40", "status": "affected"}, {"version": "2.0.0-alpha.41", "status": "affected"}, {"version": "2.0.0-alpha.42", "status": "affected"}, {"version": "2.0.0-alpha.43", "status": "affected"}, {"version": "2.0.0-alpha.44", "status": "affected"}, {"version": "2.0.0-alpha.45", "status": "affected"}, {"version": "2.0.0-alpha.46", "status": "affected"}, {"version": "2.0.0-alpha.47", "status": "affected"}, {"version": "2.0.0-alpha.48", "status": "affected"}, {"version": "2.0.0-alpha.49", "status": "affected"}, {"version": "2.0.0-alpha.50", "status": "affected"}, {"version": "2.0.0-alpha.51", "status": "affected"}, {"version": "2.0.0-alpha.52", "status": "affected"}, {"version": "2.0.0-alpha.53", "status": "affected"}, {"version": "2.0.0-alpha.54", "status": "affected"}, {"version": "2.0.0-alpha.55", "status": "affected"}, {"version": "2.0.0-alpha.56", "status": "affected"}, {"version": "2.0.0-alpha.57", "status": "affected"}, {"version": "2.0.0-alpha.58", "status": "affected"}, {"version": "2.0.0-alpha.59", "status": "affected"}, {"version": "2.0.0-alpha.60", "status": "affected"}, {"version": "2.0.0-alpha.61", "status": "affected"}, {"version": "2.0.0-alpha.62", "status": "affected"}, {"version": "2.0.0-alpha.63", "status": "affected"}], "modules": ["AI Proxy Middleware"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-27T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-27T17:43:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BruceJin (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359823", "name": "VDB-359823 | BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359823/cti", "name": "VDB-359823 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802265", "name": "Submit #802265 | BigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/BigSweetPotatoStudio/HyperChat/issues/142", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/BigSweetPotatoStudio/HyperChat/", "tags": ["product"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7223", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T12:40:43.378244Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:42:04.317Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-7223", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-28T04:16:29.043", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/BigSweetPotatoStudio/HyperChat/"}, {"source": "cna@vuldb.com", "url": "https://github.com/BigSweetPotatoStudio/HyperChat/issues/142"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/802265"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359823"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359823/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.25"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.26"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.27"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.28"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.29"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.30"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.31"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.32"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.33"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.34"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.35"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.36"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.37"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.38"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.39"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.40"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.41"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.42"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.43"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.44"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.45"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.46"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.47"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.48"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.49"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.50"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.51"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.52"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.53"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.54"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.55"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.56"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.57"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.58"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.59"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.60"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.61"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.62"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0-alpha.63"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HyperChat", "source": "cna", "vendor": "BigSweetPotatoStudio"}, "product": "hyperchat", "vendor": "bigsweetpotatostudio"}], "analysis": {"en": {"generated_at": "2026-04-28T19:31:31.334126+00:00", "value": {"mitigation_remediation": ["Upgrade BigSweetPotatoStudio HyperChat to a version newer than 2.0.0\u2011alpha.63 once the vendor releases a fix.", "Replace or remove the AI Proxy Middleware if the feature is not required to reduce the attack surface.", "Validate or sanitize the baseurl argument before passing it to the fetch function, ensuring it does not point to internal or sensitive endpoints.", "Limit the middleware\u2019s network access to trusted destinations only, or place it behind a firewall that blocks outbound requests to untrusted hosts."], "summary": {"action": "Apply Patch", "impact": "Server-side Request Forgery"}, "threat_synthesis": {"affected_systems": "The issue affects BigSweetPotatoStudio HyperChat versions up to and including 2.0.0\u2011alpha.63. Users running any of these releases should verify their installation and consider upgrading to a fixed version once available.", "description_and_impact": "A flaw in the fetch function of the AI Proxy Middleware in BigSweetPotatoStudio HyperChat enables an attacker to manipulate the baseurl argument, causing the server to request arbitrary URLs on behalf of the compromised system. This server\u2011side request forgery can allow access to internal resources, data exfiltration, or further lateral movement, affecting confidentiality and integrity. The vulnerability is classified as CWE\u2011918 and has a CVSS score of 6.9, indicating moderate severity.", "risk_and_exploitability": "The exploit is remote and publicly available, though the EPSS score is not reported. The vulnerability has not been listed in the CISA KEV catalog, suggesting no confirmed exploitation in the wild to date. Nevertheless, the moderate CVSS score and the remote launch capability mean that an attacker can potentially leverage this flaw without needing local access, especially if the AI Proxy Middleware is exposed to the Internet."}}}}, "created": "2026-04-28T09:16:22.800180+00:00", "updated": "2026-04-28T19:45:07.577340+00:00", "vendors": ["bigsweetpotatostudio", "bigsweetpotatostudio$PRODUCT$hyperchat"]}