A server-side request forgery (SSRF) vulnerability exists in ItzCrazyKns Vane up to version 1.12.1, specifically within the Model Provider API component located at src/app/api/providers/route.ts. The vulnerability stems from improper validation of the baseURL argument, allowing remote attackers to manipulate this parameter to induce unauthorized server-side requests. The issue was reported to the project [truncated]
A missing authentication vulnerability in ItzCrazyKns Vane up to version 1.12.1 allows remote attackers to access API functionality without proper credentials. The vulnerability resides in the route.ts file of the API component. While the CVSS 4.0 score of 2.9 (LOW) reflects limited impact potential, the public disclosure of exploit details and the planned but unimplemented basic authentication indicate a [truncated]
