CVE-2026-7021

Summary

A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
SmythOSsre0.0.1affected
SmythOSsre0.0.2affected
SmythOSsre0.0.3affected
SmythOSsre0.0.4affected
SmythOSsre0.0.5affected
SmythOSsre0.0.6affected
SmythOSsre0.0.7affected
SmythOSsre0.0.8affected
SmythOSsre0.0.9affected
SmythOSsre0.0.10affected
SmythOSsre0.0.11affected
SmythOSsre0.0.12affected
SmythOSsre0.0.13affected
SmythOSsre0.0.14affected
SmythOSsre0.0.15affected

Weaknesses

  • CWE-200: Information Disclosure
  • CWE-284: Improper Access Controls

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References