{"api_version":"1","generated_at":"2026-04-26T12:12:38+00:00","cve":"CVE-2026-7021","urls":{"html":"https://cve.report/CVE-2026-7021","api":"https://cve.report/api/cve/CVE-2026-7021.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-7021","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-7021"},"summary":{"title":"SmythOS sre Connector Service utils.ts information disclosure","description":"A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","state":"PUBLISHED","assigner":"VulDB","published_at":"2026-04-26 06:16:00","updated_at":"2026-04-26 06:16:00"},"problem_types":["CWE-200","CWE-284","CWE-200 Information Disclosure","CWE-284 Improper Access Controls"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"5.1","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.1","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P","data":{"baseScore":5.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Primary","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R","data":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"3.5","severity":"LOW","vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R","data":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR","data":{"baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR","version":"2.0"}}],"references":[{"url":"https://gist.github.com/YLChen-007/3d35e0ce8197989ee4de4a93def30d47","name":"https://gist.github.com/YLChen-007/3d35e0ce8197989ee4de4a93def30d47","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/359600/cti","name":"https://vuldb.com/vuln/359600/cti","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/359600","name":"https://vuldb.com/vuln/359600","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/submit/797642","name":"https://vuldb.com/submit/797642","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-7021","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7021","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.1","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.2","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.3","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.4","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.5","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.6","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.7","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.8","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.9","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.10","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.11","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.12","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.13","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.14","platforms":[]},{"source":"CNA","vendor":"SmythOS","product":"sre","version":"affected 0.0.15","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-25T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2026-04-25T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2026-04-25T15:57:31.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Eric-b (VulDB User)","lang":"en"},{"source":"CNA","value":"VulDB CNA Team","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"modules":["Connector Service"],"product":"sre","vendor":"SmythOS","versions":[{"status":"affected","version":"0.0.1"},{"status":"affected","version":"0.0.2"},{"status":"affected","version":"0.0.3"},{"status":"affected","version":"0.0.4"},{"status":"affected","version":"0.0.5"},{"status":"affected","version":"0.0.6"},{"status":"affected","version":"0.0.7"},{"status":"affected","version":"0.0.8"},{"status":"affected","version":"0.0.9"},{"status":"affected","version":"0.0.10"},{"status":"affected","version":"0.0.11"},{"status":"affected","version":"0.0.12"},{"status":"affected","version":"0.0.13"},{"status":"affected","version":"0.0.14"},{"status":"affected","version":"0.0.15"}]}],"credits":[{"lang":"en","type":"reporter","value":"Eric-b (VulDB User)"},{"lang":"en","type":"coordinator","value":"VulDB CNA Team"}],"descriptions":[{"lang":"en","value":"A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}],"metrics":[{"cvssV4_0":{"baseScore":5.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"cvssV3_1":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R","version":"3.1"}},{"cvssV3_0":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R","version":"3.0"}},{"cvssV2_0":{"baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"Information Disclosure","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-284","description":"Improper Access Controls","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-26T05:30:15.403Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-359600 | SmythOS sre Connector Service utils.ts information disclosure","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/vuln/359600"},{"name":"VDB-359600 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/vuln/359600/cti"},{"name":"Submit #797642 | smythos sdk <= 0.0.15 Credential Exposure / Information Disclosure (CWE-200)","tags":["third-party-advisory"],"url":"https://vuldb.com/submit/797642"},{"tags":["exploit"],"url":"https://gist.github.com/YLChen-007/3d35e0ce8197989ee4de4a93def30d47"}],"timeline":[{"lang":"en","time":"2026-04-25T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2026-04-25T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2026-04-25T15:57:31.000Z","value":"VulDB entry last update"}],"title":"SmythOS sre Connector Service utils.ts information disclosure"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2026-7021","datePublished":"2026-04-26T05:30:15.403Z","dateReserved":"2026-04-25T13:52:21.716Z","dateUpdated":"2026-04-26T05:30:15.403Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-26 06:16:00","lastModifiedDate":"2026-04-26 06:16:00","problem_types":["CWE-200","CWE-284","CWE-200 Information Disclosure","CWE-284 Improper Access Controls"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"7021","Ordinal":"1","Title":"SmythOS sre Connector Service utils.ts information disclosure","CVE":"CVE-2026-7021","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"7021","Ordinal":"1","NoteData":"A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","Type":"Description","Title":"SmythOS sre Connector Service utils.ts information disclosure"}]}}}