{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5803", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T14:37:04.019Z", "datePublished": "2026-04-08T20:15:20.839Z", "dateUpdated": "2026-04-09T13:51:23.252Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T20:15:20.839Z"}, "title": "bigsk1 openai-realtime-ui API Proxy Endpoint server.js server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "bigsk1", "product": "openai-realtime-ui", "versions": [{"version": "188ccde27fdf3d8fab8da81f3893468f53b2797c", "status": "affected"}], "modules": ["API Proxy Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T16:42:13.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BruceJin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/356242", "name": "VDB-356242 | bigsk1 openai-realtime-ui API Proxy Endpoint server.js server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356242/cti", "name": "VDB-356242 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786984", "name": "Submit #786984 | bigsk1 openai-realtime-ui Commit 188ccde27fdf3d8fab8da81f3893468f53b2797c Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/pull/2", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/BruceJqs/public_exp/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/commit/54f8f50f43af97c334a881af7b021e84b5b8310f", "tags": ["patch"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:51:17.043382Z", "id": "CVE-2026-5803", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:51:23.252Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5803", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:51:17.043382Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:51:19.964Z"}}], "cna": {"tags": ["x_open-source"], "title": "bigsk1 openai-realtime-ui API Proxy Endpoint server.js server-side request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "BruceJin (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "bigsk1", "modules": ["API Proxy Endpoint"], "product": "openai-realtime-ui", "versions": [{"status": "affected", "version": "188ccde27fdf3d8fab8da81f3893468f53b2797c"}]}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-08T16:42:13.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356242", "name": "VDB-356242 | bigsk1 openai-realtime-ui API Proxy Endpoint server.js server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356242/cti", "name": "VDB-356242 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/786984", "name": "Submit #786984 | bigsk1 openai-realtime-ui Commit 188ccde27fdf3d8fab8da81f3893468f53b2797c Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/pull/2", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/BruceJqs/public_exp/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/commit/54f8f50f43af97c334a881af7b021e84b5b8310f", "tags": ["patch"]}, {"url": "https://github.com/bigsk1/openai-realtime-ui/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T20:15:20.839Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5803", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:51:23.252Z", "dateReserved": "2026-04-08T14:37:04.019Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-08T20:15:20.839Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue."}], "id": "CVE-2026-5803", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-08T21:17:01.977", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/BruceJqs/public_exp/issues/3"}, {"source": "cna@vuldb.com", "url": "https://github.com/bigsk1/openai-realtime-ui/"}, {"source": "cna@vuldb.com", "url": "https://github.com/bigsk1/openai-realtime-ui/commit/54f8f50f43af97c334a881af7b021e84b5b8310f"}, {"source": "cna@vuldb.com", "url": "https://github.com/bigsk1/openai-realtime-ui/issues/1"}, {"source": "cna@vuldb.com", "url": "https://github.com/bigsk1/openai-realtime-ui/pull/2"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/786984"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356242"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356242/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "188ccde27fdf3d8fab8da81f3893468f53b2797c"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "openai-realtime-ui", "source": "cna", "vendor": "bigsk1"}, "product": "openai-realtime-ui", "vendor": "bigsk1"}], "analysis": {"en": {"generated_at": "2026-04-08T21:51:32.623799+00:00", "value": {"mitigation_remediation": ["Apply patch commit 54f8f50f43af97c334a881af7b021e84b5b8310f to the openai\u2011realtime\u2011ui repository"], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Any installation of bigsk1's openai\u2011realtime\u2011ui that includes the affected component up to commit 188ccde27fdf3d8fab8da81f3893468f53b2797c is vulnerable. Because the project uses continuous delivery with rolling releases, no specific version numbers are published. The flaw remains until the patch commit 54f8f50f43af97c334a881af7b021e84b5b8310f is applied.", "description_and_impact": "The flaw in the server.js API Proxy Endpoint of the openai\u2011realtime\u2011ui allows an attacker to manipulate a query argument, causing the server to issue outbound requests to arbitrary URLs. This server\u2011side request forgery can expose internal resources, pull confidential data, or initiate further attacks by connecting the application to malicious services. The impact includes potential confidentiality and integrity compromise of internal systems, and may also lead to availability issues if the server is overwhelmed.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.3, indicating medium severity. The exploit is remote, publicly available, and has been released, which makes it realistic for adversaries to exploit. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. Exploitation requires only a crafted query to the API Proxy Endpoint, making the attack vector trivial for attackers who can reach the exposed service."}}}}, "created": "2026-04-09T08:18:02.047081+00:00", "updated": "2026-04-09T08:27:24.917834+00:00", "vendors": ["bigsk1", "bigsk1$PRODUCT$openai-realtime-ui"]}