CVE-2026-7643
published 2026-05-02CVE-2026-7643: A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a…
PriorityP424medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.16%
5.4th percentile
A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chatgptnextweb | nextchat | — | — |
| chatgptnextweb | nextchat | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cv87-px3c-7h2j: A flaw has been found in ChatGPTNextWeb NextChat up to 2
ghsa_unreviewed·2026-05-02
CVE-2026-7643 [LOW] CWE-346 GHSA-cv87-px3c-7h2j: A flaw has been found in ChatGPTNextWeb NextChat up to 2
A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
VulDB
ChatGPTNextWeb NextChat up to 2.16.1 API Endpoint Next.js cross-domain policy (Issue 6756)
vuldb·2026-05-01
CVE-2026-7643 [LOW] ChatGPTNextWeb NextChat up to 2.16.1 API Endpoint Next.js cross-domain policy (Issue 6756)
A vulnerability, which was classified as problematic, was found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains.
The identification of this vulnerability is CVE-2026-7643. The attack may be launched remotely. Furthermore, there is an exploit available.
The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-02
Published