{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-9372/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9372"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Vane \u003c= 1.12.1"],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-9372","web application"],"_cs_type":"advisory","_cs_vendors":["ItzCrazyKns"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-9372, has been identified in ItzCrazyKns Vane versions up to 1.12.1. The vulnerability resides within the Model Provider API component, specifically the \u003ccode\u003esrc/app/api/providers/route.ts\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003ebaseURL\u003c/code\u003e argument to force the server to make requests to arbitrary internal or external resources. This can lead to information disclosure, internal reconnaissance, or potentially further exploitation of internal systems. The vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available. The vendor has been notified, but has not yet responded to the report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of ItzCrazyKns Vane running a version \u0026lt;= 1.12.1.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request targeting the \u003ccode\u003e/api/providers/route.ts\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a modified \u003ccode\u003ebaseURL\u003c/code\u003e argument designed to point to an internal resource or external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe Vane application processes the request and, without proper validation, uses the attacker-controlled \u003ccode\u003ebaseURL\u003c/code\u003e to construct an HTTP request.\u003c/li\u003e\n\u003cli\u003eThe application makes an HTTP request to the specified URL in the \u003ccode\u003ebaseURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ebaseURL\u003c/code\u003e points to an internal resource, the application fetches and potentially exposes sensitive information.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ebaseURL\u003c/code\u003e points to an attacker-controlled server, the application may leak sensitive headers or authentication tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the response to gain information about the internal network or access restricted resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9372 allows an attacker to perform server-side request forgery (SSRF). This can lead to internal reconnaissance, where the attacker can map internal network resources, and potentially access sensitive data from internal services. The attacker might also be able to leverage the vulnerable server as a proxy to bypass firewall restrictions or access other internal systems that are not directly exposed to the internet. While the specific impact depends on the internal network configuration and services, the potential for information disclosure and lateral movement is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/api/providers/route.ts\u003c/code\u003e with unusual or unexpected \u003ccode\u003ebaseURL\u003c/code\u003e parameters, as demonstrated in the rule \u003ccode\u003eDetect CVE-2026-9372 Exploitation — SSRF via baseURL Parameter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003ebaseURL\u003c/code\u003e argument within the \u003ccode\u003esrc/app/api/providers/route.ts\u003c/code\u003e file to prevent malicious manipulation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of potential SSRF attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Outbound Connections from Vane to Unusual Destinations\u003c/code\u003e to identify potential SSRF attempts to external or internal resources.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for outbound connections originating from the Vane server to internal IPs or unusual external destinations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:47:19Z","date_published":"2026-05-26T13:47:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9372-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-9372, exists in ItzCrazyKns Vane up to version 1.12.1, allowing a remote attacker to manipulate the baseURL argument in the Model Provider API component and potentially conduct internal reconnaissance or access sensitive data.","title":"ItzCrazyKns Vane SSRF Vulnerability (CVE-2026-9372)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9372-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-9372","version":"https://jsonfeed.org/version/1.1"}