CVE-2026-7177
published 2026-04-27CVE-2026-7177: A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file…
PriorityP348high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.36%
27.5th percentile
A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chatgptnextweb | nextchat | — | — |
| chatgptnextweb | nextchat | — | — |
| nextchat | nextchat | — | — |
| nextchat | nextchat | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ChatGPTNextWeb NextChat up to 2.16.1 route.ts proxyHandler server-side request forgery (Issue 6742 / EUVD-2026-25928)
vuldb·2026-04-28·CVSS 6.9
CVE-2026-7177 [MEDIUM] ChatGPTNextWeb NextChat up to 2.16.1 route.ts proxyHandler server-side request forgery (Issue 6742 / EUVD-2026-25928)
A vulnerability was found in ChatGPTNextWeb NextChat up to 2.16.1. It has been declared as critical. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery.
This vulnerability was named CVE-2026-7177. The attack may be performed from remote. In addition, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.
GHSA
GHSA-ff75-fg5h-fjx7: A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2
ghsa_unreviewed·2026-04-28
CVE-2026-7177 [MEDIUM] CWE-918 GHSA-ff75-fg5h-fjx7: A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2
A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
2026-04-27
Published