Which versions of Vane are affected by CVE-2026-9372?

ItzCrazyKns Vane versions up to 1.12.1 contain an unauthenticated server-side request forgery vulnerability that allows external attackers to access internal network resources by manipulating API…

Is there a public PoC exploit available for CVE-2026-9372?

Yes, a public proof-of-concept exploit is available for CVE-2026-9372. Prioritise patching immediately. EPSS: 0.0%.

Vane CVE-2026-9372

Q: What is the CVSS score of CVE-2026-9372?

CVE-2026-9372 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-31586 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-24 VulDB

GHSA-g5cv-p9gg-j22x

SSRF

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 26, 2026 - 20:07 NVD

HIGH MEDIUM

CVSS changed

May 26, 2026 - 20:07 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Analysis Generated

May 24, 2026 - 10:45 vuln.today

DescriptionNVD

A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery (SSRF) in ItzCrazyKns Vane through version 1.12.1 enables unauthenticated remote attackers to manipulate the baseURL parameter in the Model Provider API, potentially accessing internal resources and services. The exploit has been publicly disclosed via a GitHub issue, and the CVSS temporal score indicates proof-of-concept code exists (E:P). …

RemediationAI

Within 24 hours: Inventory all instances of ItzCrazyKns Vane in production and development environments; document version numbers and network exposure. Within 7 days: Implement network-level controls to restrict outbound connections from affected Vane instances to internal resources only; disable or restrict access to the Model Provider API endpoint if business-critical functionality permits. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-9372 vulnerability details – vuln.today

Back

Vane CVE-2026-9372

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Vane CVE-2026-9372

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code