VYPR

Nextchat

by ChatGPTNextWeb

npm: nextchat

Source repositories

CVEs (8)

  • CVE-2026-7644HigMay 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the…

  • CVE-2026-7178HigApr 27, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to…

  • CVE-2026-7177HigApr 27, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote.…

  • CVE-2024-38514HigJun 28, 2024
    risk 0.47cvss 7.4epss 0.02

    NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the `endpoint` GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request from the vulnerable…

  • CVE-2025-50733MedAug 22, 2025
    risk 0.40cvss 6.1epss 0.00

    NextChat contains a cross-site scripting (XSS) vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in the AI chat interface. The vulnerability occurs because user-influenced HTML…

  • CVE-2026-7643MedMay 2, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The…

  • CVE-2023-49785Mar 11, 2024
    risk 0.07cvss epss 0.83

    NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also…

  • CVE-2025-50735Nov 3, 2025
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive information via authenticated or anonymous WebDAV endpoints.