Search

Find a vulnerability

Search criteria

    4 vulnerabilities by SmythOS

    CVE-2026-7022 (GCVE-0-2026-7022)

    Vulnerability from nvd – Published: 2026-04-26 05:45 – Updated: 2026-04-27 13:52
    VLAI
    Title
    SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication
    Summary
    A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/359601 vdb-entrytechnical-description
    https://vuldb.com/vuln/359601/cti signaturepermissions-required
    https://vuldb.com/submit/797643 third-party-advisory
    https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9… exploit
    Impacted products
    Vendor Product Version
    SmythOS sre Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Create a notification for this product.
    Credits
    Eric-b (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7022",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:52:17.191444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:52:30.369Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "HTTP Header Handler"
              ],
              "product": "sre",
              "vendor": "SmythOS",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-b (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-26T05:45:11.931Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359601 | SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/359601"
            },
            {
              "name": "VDB-359601 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359601/cti"
            },
            {
              "name": "Submit #797643 | smythos sre \u003c= 0.0.15 Improper Authentication / Authorization Bypass (CWE-287 / CWE-63",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/797643"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9e758f72c07ca0cd30d"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-25T15:57:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7022",
        "datePublished": "2026-04-26T05:45:11.931Z",
        "dateReserved": "2026-04-25T13:52:25.805Z",
        "dateUpdated": "2026-04-27T13:52:30.369Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7021 (GCVE-0-2026-7021)

    Vulnerability from nvd – Published: 2026-04-26 05:30 – Updated: 2026-04-27 13:31
    VLAI
    Title
    SmythOS sre Connector Service utils.ts information disclosure
    Summary
    A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/359600 vdb-entrytechnical-description
    https://vuldb.com/vuln/359600/cti signaturepermissions-required
    https://vuldb.com/submit/797642 third-party-advisory
    https://gist.github.com/YLChen-007/3d35e0ce819798… exploit
    Impacted products
    Vendor Product Version
    SmythOS sre Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Create a notification for this product.
    Credits
    Eric-b (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7021",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:09:22.045971Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:31:51.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Connector Service"
              ],
              "product": "sre",
              "vendor": "SmythOS",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-b (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-26T05:30:15.403Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359600 | SmythOS sre Connector Service utils.ts information disclosure",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/359600"
            },
            {
              "name": "VDB-359600 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359600/cti"
            },
            {
              "name": "Submit #797642 | smythos sdk \u003c= 0.0.15 Credential Exposure / Information Disclosure (CWE-200)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/797642"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/YLChen-007/3d35e0ce8197989ee4de4a93def30d47"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-25T15:57:31.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SmythOS sre Connector Service utils.ts information disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7021",
        "datePublished": "2026-04-26T05:30:15.403Z",
        "dateReserved": "2026-04-25T13:52:21.716Z",
        "dateUpdated": "2026-04-27T13:31:51.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7022 (GCVE-0-2026-7022)

    Vulnerability from cvelistv5 – Published: 2026-04-26 05:45 – Updated: 2026-04-27 13:52
    VLAI
    Title
    SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication
    Summary
    A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/359601 vdb-entrytechnical-description
    https://vuldb.com/vuln/359601/cti signaturepermissions-required
    https://vuldb.com/submit/797643 third-party-advisory
    https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9… exploit
    Impacted products
    Vendor Product Version
    SmythOS sre Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Create a notification for this product.
    Credits
    Eric-b (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7022",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:52:17.191444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:52:30.369Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "HTTP Header Handler"
              ],
              "product": "sre",
              "vendor": "SmythOS",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-b (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulation of the argument X-DEBUG-RUN/X-DEBUG-INJ leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-26T05:45:11.931Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359601 | SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/359601"
            },
            {
              "name": "VDB-359601 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359601/cti"
            },
            {
              "name": "Submit #797643 | smythos sre \u003c= 0.0.15 Improper Authentication / Authorization Bypass (CWE-287 / CWE-63",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/797643"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/YLChen-007/c6a4a6a5f4c8b9e758f72c07ca0cd30d"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-25T15:57:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SmythOS sre HTTP Header AgentRuntime.class.ts AgentRuntime improper authentication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7022",
        "datePublished": "2026-04-26T05:45:11.931Z",
        "dateReserved": "2026-04-25T13:52:25.805Z",
        "dateUpdated": "2026-04-27T13:52:30.369Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7021 (GCVE-0-2026-7021)

    Vulnerability from cvelistv5 – Published: 2026-04-26 05:30 – Updated: 2026-04-27 13:31
    VLAI
    Title
    SmythOS sre Connector Service utils.ts information disclosure
    Summary
    A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/359600 vdb-entrytechnical-description
    https://vuldb.com/vuln/359600/cti signaturepermissions-required
    https://vuldb.com/submit/797642 third-party-advisory
    https://gist.github.com/YLChen-007/3d35e0ce819798… exploit
    Impacted products
    Vendor Product Version
    SmythOS sre Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Create a notification for this product.
    Credits
    Eric-b (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7021",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:09:22.045971Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:31:51.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Connector Service"
              ],
              "product": "sre",
              "vendor": "SmythOS",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-b (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-26T05:30:15.403Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359600 | SmythOS sre Connector Service utils.ts information disclosure",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/359600"
            },
            {
              "name": "VDB-359600 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359600/cti"
            },
            {
              "name": "Submit #797642 | smythos sdk \u003c= 0.0.15 Credential Exposure / Information Disclosure (CWE-200)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/797642"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/YLChen-007/3d35e0ce8197989ee4de4a93def30d47"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-25T15:57:31.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SmythOS sre Connector Service utils.ts information disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7021",
        "datePublished": "2026-04-26T05:30:15.403Z",
        "dateReserved": "2026-04-25T13:52:21.716Z",
        "dateUpdated": "2026-04-27T13:31:51.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }