CVE-2024-38514: NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lac
highvulnerabilityLLM-Specific
security
Summary
NextChat, a user interface for ChatGPT and Gemini, has a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick the server into making requests to unintended destinations) in its WebDav API endpoint because the `endpoint` parameter is not validated. An attacker could use this to make unauthorized HTTPS requests from the vulnerable server or inject malicious JavaScript code into users' browsers.
Solution / Mitigation
This vulnerability has been patched in version 2.12.4. Users should update to this version or later.
Vulnerability Details
CVSS Score
7.4(high)
EPSS (30-day exploit probability)
EPSS: 72.6%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-38514
First tracked: February 15, 2026 at 08:50 PM
Classified by LLM (prompt v3) · confidence: 85%