{"data":{"id":"21cdeba9-eaa8-4ada-a580-65ef35ae6f08","title":"CVE-2026-42344: FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa","summary":"FastGPT versions 4.14.11 and earlier have a DNS rebinding vulnerability (TOCTOU, or Time-of-Check to Time-of-Use, where a check happens at one moment but the actual action uses a different result moments later) in their isInternalAddress() function. The function validates that a hostname resolves to a safe private IP address, but because the actual HTTP request performs a separate DNS lookup afterward, an attacker can change the DNS record between validation and the request, bypassing the security check.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-42344","publishedAt":"2026-05-08T23:16:37.177Z","cveId":"CVE-2026-42344","cweIds":["CWE-367"],"cvssScore":"6.3","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["FastGPT"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0.00028,"patchAvailable":null,"disclosureDate":"2026-05-08T23:16:37.177Z","capecIds":["CAPEC-27"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}