A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"cna_assigner": "VulDB",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.0.0-alpha.0"
},
{
"last_affected": "2.0.0-alpha.0"
},
{
"introduced": "2.0.0-alpha.2"
},
{
"last_affected": "2.0.0-alpha.2"
},
{
"introduced": "2.0.0-alpha.3"
},
{
"last_affected": "2.0.0-alpha.3"
},
{
"introduced": "2.0.0-alpha.4"
},
{
"last_affected": "2.0.0-alpha.4"
},
{
"introduced": "2.0.0-alpha.5"
},
{
"last_affected": "2.0.0-alpha.5"
},
{
"introduced": "2.0.0-alpha.6"
},
{
"last_affected": "2.0.0-alpha.6"
},
{
"introduced": "2.0.0-alpha.7"
},
{
"last_affected": "2.0.0-alpha.7"
},
{
"introduced": "2.0.0-alpha.8"
},
{
"last_affected": "2.0.0-alpha.8"
},
{
"introduced": "2.0.0-alpha.9"
},
{
"last_affected": "2.0.0-alpha.9"
},
{
"introduced": "2.0.0-alpha.10"
},
{
"last_affected": "2.0.0-alpha.10"
},
{
"introduced": "2.0.0-alpha.11"
},
{
"last_affected": "2.0.0-alpha.11"
},
{
"introduced": "2.0.0-alpha.12"
},
{
"last_affected": "2.0.0-alpha.12"
},
{
"introduced": "2.0.0-alpha.13"
},
{
"last_affected": "2.0.0-alpha.13"
},
{
"introduced": "2.0.0-alpha.14"
},
{
"last_affected": "2.0.0-alpha.14"
},
{
"introduced": "2.0.0-alpha.15"
},
{
"last_affected": "2.0.0-alpha.15"
},
{
"introduced": "2.0.0-alpha.16"
},
{
"last_affected": "2.0.0-alpha.16"
},
{
"introduced": "2.0.0-alpha.17"
},
{
"last_affected": "2.0.0-alpha.17"
},
{
"introduced": "2.0.0-alpha.18"
},
{
"last_affected": "2.0.0-alpha.18"
},
{
"introduced": "2.0.0-alpha.30"
},
{
"last_affected": "2.0.0-alpha.30"
},
{
"introduced": "2.0.0-alpha.35"
},
{
"last_affected": "2.0.0-alpha.35"
},
{
"introduced": "2.0.0-alpha.36"
},
{
"last_affected": "2.0.0-alpha.36"
},
{
"introduced": "2.0.0-alpha.37"
},
{
"last_affected": "2.0.0-alpha.37"
},
{
"introduced": "2.0.0-alpha.38"
},
{
"last_affected": "2.0.0-alpha.38"
},
{
"introduced": "2.0.0-alpha.40"
},
{
"last_affected": "2.0.0-alpha.40"
},
{
"introduced": "2.0.0-alpha.42"
},
{
"last_affected": "2.0.0-alpha.42"
},
{
"introduced": "2.0.0-alpha.44"
},
{
"last_affected": "2.0.0-alpha.44"
},
{
"introduced": "2.0.0-alpha.45"
},
{
"last_affected": "2.0.0-alpha.45"
},
{
"introduced": "2.0.0-alpha.46"
},
{
"last_affected": "2.0.0-alpha.46"
},
{
"introduced": "2.0.0-alpha.47"
},
{
"last_affected": "2.0.0-alpha.47"
},
{
"introduced": "2.0.0-alpha.48"
},
{
"last_affected": "2.0.0-alpha.48"
},
{
"introduced": "2.0.0-alpha.49"
},
{
"last_affected": "2.0.0-alpha.49"
},
{
"introduced": "2.0.0-alpha.55"
},
{
"last_affected": "2.0.0-alpha.55"
}
]
}
],
"cwe_ids": [
"CWE-918"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7223.json"
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.0.0-alpha.1"
},
{
"last_affected": "2.0.0-alpha.1"
},
{
"introduced": "2.0.0-alpha.19"
},
{
"last_affected": "2.0.0-alpha.19"
},
{
"introduced": "2.0.0-alpha.20"
},
{
"last_affected": "2.0.0-alpha.20"
},
{
"introduced": "2.0.0-alpha.21"
},
{
"last_affected": "2.0.0-alpha.21"
},
{
"introduced": "2.0.0-alpha.22"
},
{
"last_affected": "2.0.0-alpha.22"
},
{
"introduced": "2.0.0-alpha.23"
},
{
"last_affected": "2.0.0-alpha.23"
},
{
"introduced": "2.0.0-alpha.24"
},
{
"last_affected": "2.0.0-alpha.24"
},
{
"introduced": "2.0.0-alpha.25"
},
{
"last_affected": "2.0.0-alpha.25"
},
{
"introduced": "2.0.0-alpha.26"
},
{
"last_affected": "2.0.0-alpha.26"
},
{
"introduced": "2.0.0-alpha.27"
},
{
"last_affected": "2.0.0-alpha.27"
},
{
"introduced": "2.0.0-alpha.28"
},
{
"last_affected": "2.0.0-alpha.28"
},
{
"introduced": "2.0.0-alpha.29"
},
{
"last_affected": "2.0.0-alpha.29"
},
{
"introduced": "2.0.0-alpha.31"
},
{
"last_affected": "2.0.0-alpha.31"
},
{
"introduced": "2.0.0-alpha.32"
},
{
"last_affected": "2.0.0-alpha.32"
},
{
"introduced": "2.0.0-alpha.33"
},
{
"last_affected": "2.0.0-alpha.33"
},
{
"introduced": "2.0.0-alpha.34"
},
{
"last_affected": "2.0.0-alpha.34"
},
{
"introduced": "2.0.0-alpha.39"
},
{
"last_affected": "2.0.0-alpha.39"
},
{
"introduced": "2.0.0-alpha.41"
},
{
"last_affected": "2.0.0-alpha.41"
},
{
"introduced": "2.0.0-alpha.43"
},
{
"last_affected": "2.0.0-alpha.43"
},
{
"introduced": "2.0.0-alpha.50"
},
{
"last_affected": "2.0.0-alpha.50"
},
{
"introduced": "2.0.0-alpha.51"
},
{
"last_affected": "2.0.0-alpha.51"
},
{
"introduced": "2.0.0-alpha.52"
},
{
"last_affected": "2.0.0-alpha.52"
},
{
"introduced": "2.0.0-alpha.53"
},
{
"last_affected": "2.0.0-alpha.53"
},
{
"introduced": "2.0.0-alpha.54"
},
{
"last_affected": "2.0.0-alpha.54"
},
{
"introduced": "2.0.0-alpha.56"
},
{
"last_affected": "2.0.0-alpha.56"
},
{
"introduced": "2.0.0-alpha.57"
},
{
"last_affected": "2.0.0-alpha.57"
},
{
"introduced": "2.0.0-alpha.58"
},
{
"last_affected": "2.0.0-alpha.58"
},
{
"introduced": "2.0.0-alpha.59"
},
{
"last_affected": "2.0.0-alpha.59"
},
{
"introduced": "2.0.0-alpha.60"
},
{
"last_affected": "2.0.0-alpha.60"
},
{
"introduced": "2.0.0-alpha.61"
},
{
"last_affected": "2.0.0-alpha.61"
},
{
"introduced": "2.0.0-alpha.62"
},
{
"last_affected": "2.0.0-alpha.62"
},
{
"introduced": "2.0.0-alpha.63"
},
{
"last_affected": "2.0.0-alpha.63"
}
]
}