5 matches found
CVE-2026-34162
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint /api/core/app/httpTools/runTool is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers,...
CVE-2026-34162 FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint /api/core/app/httpTools/runTool is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers,...
CVE-2026-34162
Product: FastGPTVulnerability: Unauthenticated SSRF via the /api/core/app/httpTools/runTool endpointImpact: Potential internal API key theft; full server-side HTTP proxy behavior exposes response dataAffected versions: before 4.14.9.5Fix/mitigation: Upgrade to 4.14.9.5 (patched)CVSSv3.1: 10.0 (CR...
CVE-2026-34162 FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint /api/core/app/httpTools/runTool is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers,...
chameli (>=0.1.12 <=0.1.16), clotho (=0.1.0) +12 more potentially affected by CVE-2025-23217 via mitmproxy (>=10.1.5 <=11.0.2)
mitmproxy PYPI version =10.1.5, =0.1.12, =0.1.0, =4.0.0, =0.34.0, =0.11.0, =1.0.0, =1.1.0, =0.1.0, =3.2.0, =0.0.1, =0.0.3 Source cves: CVE-2025-23217 Source advisory: OSV:GHSA-WG33-5H85-7Q5P...