High severity7.3NVD Advisory· Published Apr 27, 2026· Updated Apr 30, 2026

CVE-2026-7178

Description

A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

Nextchat/Nextchat2 versions
cpe:2.3:a:nextchat:nextchat:2.16.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:nextchat:nextchat:2.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:nextchat:nextchat:2.16.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5nvdExploitThird Party Advisory
vuldb.com/submit/797646nvdExploitThird Party AdvisoryVDB Entry
vuldb.com/vuln/359780nvdThird Party AdvisoryVDB Entry
github.com/ChatGPTNextWeb/NextChat/issues/6741nvdIssue Tracking
vuldb.com/vuln/359780/ctinvdPermissions Required

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000