CVE-2026-7147 | JoeCastrom mcp-chat-studio up to 1.5.0 LLM Models API server/routes/llm.js req.query.base_url server-side request forgery

Inserito da Angelo Barbosa | Apr 26, 2026 | CVE

A vulnerability, which was classified as critical, has been found in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery.

This vulnerability is known as CVE-2026-7147. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-7147 | JoeCastrom mcp-chat-studio up to 1.5.0 LLM Models API server/routes/llm.js req.query.base_url server-side request forgery

Post correlati

CVE-2025-57200 | AVTECH DGM1104 FullImg-1015-1004-1006-1003 test_mail command injection

CVE-2024-5681 | Schneider Electric EcoStruxure Foxboro DCS Core Control Services up to 9.8 IOCTL Call Foxboro.sys input validation (SEVD-2024-191-02)

CVE-2024-8754 | GitLab Enterprise Edition up to 17.1.6/17.2.4/17.3.1 external control of critical state data (Issue 464062)

CVE-2025-13367 | User Registration & Membership Plugin up to 4.4.6 on WordPress Shortcode cross site scripting