Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by SmythOS
CVE-2026-7022 (GCVE-0-2026-7022)
Vulnerability from cvelistv5 – Published: 2026-04-26 05:45 – Updated: 2026-04-26 05:45
VLAI?
Title
SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication
Summary
A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"modules": [
"HTTP Header Handler"
],
"product": "sre",
"vendor": "SmythOS",
"versions": [
{
"status": "affected",
"version": "0.0.1"
},
{
"status": "affected",
"version": "0.0.2"
},
{
"status": "affected",
"version": "0.0.3"
},
{
"status": "affected",
"version": "0.0.4"
},
{
"status": "affected",
"version": "0.0.5"
},
{
"status": "affected",
"version": "0.0.6"
},
{
"status": "affected",
"version": "0.0.7"
},
{
"status": "affected",
"version": "0.0.8"
},
{
"status": "affected",
"version": "0.0.9"
},
{
"status": "affected",
"version": "0.0.10"
},
{
"status": "affected",
"version": "0.0.11"
},
{
"status": "affected",
"version": "0.0.12"
},
{
"status": "affected",
"version": "0.0.13"
},
{
"status": "affected",
"version": "0.0.14"
},
{
"status": "affected",
"version": "0.0.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-b (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-26T05:45:11.931Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359601 | SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359601"
},
{
"name": "VDB-359601 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359601/cti"
},
{
"name": "Submit #797643 | smythos sre \u003c= 0.0.15 Improper Authentication / Authorization Bypass (CWE-287 / CWE-63",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797643"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9e758f72c07ca0cd30d"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-25T15:57:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7022",
"datePublished": "2026-04-26T05:45:11.931Z",
"dateReserved": "2026-04-25T13:52:25.805Z",
"dateUpdated": "2026-04-26T05:45:11.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7021 (GCVE-0-2026-7021)
Vulnerability from cvelistv5 – Published: 2026-04-26 05:30 – Updated: 2026-04-26 05:30
VLAI?
Title
SmythOS sre Connector Service utils.ts information disclosure
Summary
A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"modules": [
"Connector Service"
],
"product": "sre",
"vendor": "SmythOS",
"versions": [
{
"status": "affected",
"version": "0.0.1"
},
{
"status": "affected",
"version": "0.0.2"
},
{
"status": "affected",
"version": "0.0.3"
},
{
"status": "affected",
"version": "0.0.4"
},
{
"status": "affected",
"version": "0.0.5"
},
{
"status": "affected",
"version": "0.0.6"
},
{
"status": "affected",
"version": "0.0.7"
},
{
"status": "affected",
"version": "0.0.8"
},
{
"status": "affected",
"version": "0.0.9"
},
{
"status": "affected",
"version": "0.0.10"
},
{
"status": "affected",
"version": "0.0.11"
},
{
"status": "affected",
"version": "0.0.12"
},
{
"status": "affected",
"version": "0.0.13"
},
{
"status": "affected",
"version": "0.0.14"
},
{
"status": "affected",
"version": "0.0.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-b (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-26T05:30:15.403Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359600 | SmythOS sre Connector Service utils.ts information disclosure",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359600"
},
{
"name": "VDB-359600 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359600/cti"
},
{
"name": "Submit #797642 | smythos sdk \u003c= 0.0.15 Credential Exposure / Information Disclosure (CWE-200)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797642"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/3d35e0ce8197989ee4de4a93def30d47"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-25T15:57:31.000Z",
"value": "VulDB entry last update"
}
],
"title": "SmythOS sre Connector Service utils.ts information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7021",
"datePublished": "2026-04-26T05:30:15.403Z",
"dateReserved": "2026-04-25T13:52:21.716Z",
"dateUpdated": "2026-04-26T05:30:15.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}