QSearchQSearch

CVE-2026-8768

7.3 HIGH

A vulnerability was found in vercel ai up to 3.0.97

Published: 2026-05-17 · Last updated: 2026-05-19

Severity and scoring

CVSS
7.3 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-918

Affected products

VendorProduct
vercelai

Description

A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-8769 A vulnerability was determined in vercel ai up to 3.0.97 (4.3 MEDIUM)
  • CVE-2026-8767 A vulnerability has been found in vercel ai up to 3.0.97 (5.0 MEDIUM)
  • CVE-2026-46508 Turborepo is a high-performance build system for JavaScript and TypeScript codebases (7.8 HIGH)
  • CVE-2026-45773 Turborepo is a high-performance build system for JavaScript and TypeScript codebases (6.5 MEDIUM)
  • CVE-2026-45772 Turborepo is a high-performance build system for JavaScript and TypeScript codebases (9.8 CRITICAL)

Same CWE

  • CVE-2026-53812 OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypa... (7.7 HIGH)
  • CVE-2026-53782 Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to dire... (7.4 HIGH)
  • CVE-2026-47170 Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface (7.7 HIGH)
  • CVE-2026-47157 aiograpi is an asynchronous Instagram API for Python (6.5 MEDIUM)
  • CVE-2026-46698 Fediverse Embeds embeds fediverse posts on WordPress sites (5.3 MEDIUM)