CVE-2026-7178

Name of the Vulnerable Software and Affected Versions ChatGPTNextWeb NextChat versions prior to 2.16.2

Description A server-side request forgery (SSRF) exists in the Artifacts Endpoint component. The issue resides in the storeUrl() function within the app/api/artifacts/route.ts file, where improper manipulation of the ID argument allows a remote attacker to initiate unauthorized requests from the server.

Recommendations Update to a version later than 2.16.1. As a temporary workaround, restrict access to the storeUrl() function in the app/api/artifacts/route.ts file to minimize the risk of exploitation.