{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8767", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-05-17T09:28:03.647Z", "datePublished": "2026-05-17T22:30:09.659Z", "dateUpdated": "2026-05-18T14:30:55.942Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-05-17T22:30:09.659Z"}, "title": "vercel ai PR Branch Name Interpolation prettier-on-automerge.yml run os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "vercel", "product": "ai", "versions": [{"version": "3.0.0", "status": "affected"}, {"version": "3.0.1", "status": "affected"}, {"version": "3.0.2", "status": "affected"}, {"version": "3.0.3", "status": "affected"}, {"version": "3.0.4", "status": "affected"}, {"version": "3.0.5", "status": "affected"}, {"version": "3.0.6", "status": "affected"}, {"version": "3.0.7", "status": "affected"}, {"version": "3.0.8", "status": "affected"}, {"version": "3.0.9", "status": "affected"}, {"version": "3.0.10", "status": "affected"}, {"version": "3.0.11", "status": "affected"}, {"version": "3.0.12", "status": "affected"}, {"version": "3.0.13", "status": "affected"}, {"version": "3.0.14", "status": "affected"}, {"version": "3.0.15", "status": "affected"}, {"version": "3.0.16", "status": "affected"}, {"version": "3.0.17", "status": "affected"}, {"version": "3.0.18", "status": "affected"}, {"version": "3.0.19", "status": "affected"}, {"version": "3.0.20", "status": "affected"}, {"version": "3.0.21", "status": "affected"}, {"version": "3.0.22", "status": "affected"}, {"version": "3.0.23", "status": "affected"}, {"version": "3.0.24", "status": "affected"}, {"version": "3.0.25", "status": "affected"}, {"version": "3.0.26", "status": "affected"}, {"version": "3.0.27", "status": "affected"}, {"version": "3.0.28", "status": "affected"}, {"version": "3.0.29", "status": "affected"}, {"version": "3.0.30", "status": "affected"}, {"version": "3.0.31", "status": "affected"}, {"version": "3.0.32", "status": "affected"}, {"version": "3.0.33", "status": "affected"}, {"version": "3.0.34", "status": "affected"}, {"version": "3.0.35", "status": "affected"}, {"version": "3.0.36", "status": "affected"}, {"version": "3.0.37", "status": "affected"}, {"version": "3.0.38", "status": "affected"}, {"version": "3.0.39", "status": "affected"}, {"version": "3.0.40", "status": "affected"}, {"version": "3.0.41", "status": "affected"}, {"version": "3.0.42", "status": "affected"}, {"version": "3.0.43", "status": "affected"}, {"version": "3.0.44", "status": "affected"}, {"version": "3.0.45", "status": "affected"}, {"version": "3.0.46", "status": "affected"}, {"version": "3.0.47", "status": "affected"}, {"version": "3.0.48", "status": "affected"}, {"version": "3.0.49", "status": "affected"}, {"version": "3.0.50", "status": "affected"}, {"version": "3.0.51", "status": "affected"}, {"version": "3.0.52", "status": "affected"}, {"version": "3.0.53", "status": "affected"}, {"version": "3.0.54", "status": "affected"}, {"version": "3.0.55", "status": "affected"}, {"version": "3.0.56", "status": "affected"}, {"version": "3.0.57", "status": "affected"}, {"version": "3.0.58", "status": "affected"}, {"version": "3.0.59", "status": "affected"}, {"version": "3.0.60", "status": "affected"}, {"version": "3.0.61", "status": "affected"}, {"version": "3.0.62", "status": "affected"}, {"version": "3.0.63", "status": "affected"}, {"version": "3.0.64", "status": "affected"}, {"version": "3.0.65", "status": "affected"}, {"version": "3.0.66", "status": "affected"}, {"version": "3.0.67", "status": "affected"}, {"version": "3.0.68", "status": "affected"}, {"version": "3.0.69", "status": "affected"}, {"version": "3.0.70", "status": "affected"}, {"version": "3.0.71", "status": "affected"}, {"version": "3.0.72", "status": "affected"}, {"version": "3.0.73", "status": "affected"}, {"version": "3.0.74", "status": "affected"}, {"version": "3.0.75", "status": "affected"}, {"version": "3.0.76", "status": "affected"}, {"version": "3.0.77", "status": "affected"}, {"version": "3.0.78", "status": "affected"}, {"version": "3.0.79", "status": "affected"}, {"version": "3.0.80", "status": "affected"}, {"version": "3.0.81", "status": "affected"}, {"version": "3.0.82", "status": "affected"}, {"version": "3.0.83", "status": "affected"}, {"version": "3.0.84", "status": "affected"}, {"version": "3.0.85", "status": "affected"}, {"version": "3.0.86", "status": "affected"}, {"version": "3.0.87", "status": "affected"}, {"version": "3.0.88", "status": "affected"}, {"version": "3.0.89", "status": "affected"}, {"version": "3.0.90", "status": "affected"}, {"version": "3.0.91", "status": "affected"}, {"version": "3.0.92", "status": "affected"}, {"version": "3.0.93", "status": "affected"}, {"version": "3.0.94", "status": "affected"}, {"version": "3.0.95", "status": "affected"}, {"version": "3.0.96", "status": "affected"}, {"version": "3.0.97", "status": "affected"}], "cpes": ["cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:*"], "modules": ["PR Branch Name Interpolation"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-05-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-05-17T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-05-17T11:33:11.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-d (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/364392", "name": "VDB-364392 | vercel ai PR Branch Name Interpolation prettier-on-automerge.yml run os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/364392/cti", "name": "VDB-364392 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/811402", "name": "Submit #811402 | vercel ai @ai-sdk/amazon-bedrock@3.0.97 OS Command Injection (CWE-78)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-18T14:30:43.479216Z", "id": "CVE-2026-8767", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-18T14:30:55.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8767", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-18T14:30:43.479216Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-18T14:30:52.710Z"}}], "cna": {"title": "vercel ai PR Branch Name Interpolation prettier-on-automerge.yml run os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-d (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:*"], "vendor": "vercel", "modules": ["PR Branch Name Interpolation"], "product": "ai", "versions": [{"status": "affected", "version": "3.0.0"}, {"status": "affected", "version": "3.0.1"}, {"status": "affected", "version": "3.0.2"}, {"status": "affected", "version": "3.0.3"}, {"status": "affected", "version": "3.0.4"}, {"status": "affected", "version": "3.0.5"}, {"status": "affected", "version": "3.0.6"}, {"status": "affected", "version": "3.0.7"}, {"status": "affected", "version": "3.0.8"}, {"status": "affected", "version": "3.0.9"}, {"status": "affected", "version": "3.0.10"}, {"status": "affected", "version": "3.0.11"}, {"status": "affected", "version": "3.0.12"}, {"status": "affected", "version": "3.0.13"}, {"status": "affected", "version": "3.0.14"}, {"status": "affected", "version": "3.0.15"}, {"status": "affected", "version": "3.0.16"}, {"status": "affected", "version": "3.0.17"}, {"status": "affected", "version": "3.0.18"}, {"status": "affected", "version": "3.0.19"}, {"status": "affected", "version": "3.0.20"}, {"status": "affected", "version": "3.0.21"}, {"status": "affected", "version": "3.0.22"}, {"status": "affected", "version": "3.0.23"}, {"status": "affected", "version": "3.0.24"}, {"status": "affected", "version": "3.0.25"}, {"status": "affected", "version": "3.0.26"}, {"status": "affected", "version": "3.0.27"}, {"status": "affected", "version": "3.0.28"}, {"status": "affected", "version": "3.0.29"}, {"status": "affected", "version": "3.0.30"}, {"status": "affected", "version": "3.0.31"}, {"status": "affected", "version": "3.0.32"}, {"status": "affected", "version": "3.0.33"}, {"status": "affected", "version": "3.0.34"}, {"status": "affected", "version": "3.0.35"}, {"status": "affected", "version": "3.0.36"}, {"status": "affected", "version": "3.0.37"}, {"status": "affected", "version": "3.0.38"}, {"status": "affected", "version": "3.0.39"}, {"status": "affected", "version": "3.0.40"}, {"status": "affected", "version": "3.0.41"}, {"status": "affected", "version": "3.0.42"}, {"status": "affected", "version": "3.0.43"}, {"status": "affected", "version": "3.0.44"}, {"status": "affected", "version": "3.0.45"}, {"status": "affected", "version": "3.0.46"}, {"status": "affected", "version": "3.0.47"}, {"status": "affected", "version": "3.0.48"}, {"status": "affected", "version": "3.0.49"}, {"status": "affected", "version": "3.0.50"}, {"status": "affected", "version": "3.0.51"}, {"status": "affected", "version": "3.0.52"}, {"status": "affected", "version": "3.0.53"}, {"status": "affected", "version": "3.0.54"}, {"status": "affected", "version": "3.0.55"}, {"status": "affected", "version": "3.0.56"}, {"status": "affected", "version": "3.0.57"}, {"status": "affected", "version": "3.0.58"}, {"status": "affected", "version": "3.0.59"}, {"status": "affected", "version": "3.0.60"}, {"status": "affected", "version": "3.0.61"}, {"status": "affected", "version": "3.0.62"}, {"status": "affected", "version": "3.0.63"}, {"status": "affected", "version": "3.0.64"}, {"status": "affected", "version": "3.0.65"}, {"status": "affected", "version": "3.0.66"}, {"status": "affected", "version": "3.0.67"}, {"status": "affected", "version": "3.0.68"}, {"status": "affected", "version": "3.0.69"}, {"status": "affected", "version": "3.0.70"}, {"status": "affected", "version": "3.0.71"}, {"status": "affected", "version": "3.0.72"}, {"status": "affected", "version": "3.0.73"}, {"status": "affected", "version": "3.0.74"}, {"status": "affected", "version": "3.0.75"}, {"status": "affected", "version": "3.0.76"}, {"status": "affected", "version": "3.0.77"}, {"status": "affected", "version": "3.0.78"}, {"status": "affected", "version": "3.0.79"}, {"status": "affected", "version": "3.0.80"}, {"status": "affected", "version": "3.0.81"}, {"status": "affected", "version": "3.0.82"}, {"status": "affected", "version": "3.0.83"}, {"status": "affected", "version": "3.0.84"}, {"status": "affected", "version": "3.0.85"}, {"status": "affected", "version": "3.0.86"}, {"status": "affected", "version": "3.0.87"}, {"status": "affected", "version": "3.0.88"}, {"status": "affected", "version": "3.0.89"}, {"status": "affected", "version": "3.0.90"}, {"status": "affected", "version": "3.0.91"}, {"status": "affected", "version": "3.0.92"}, {"status": "affected", "version": "3.0.93"}, {"status": "affected", "version": "3.0.94"}, {"status": "affected", "version": "3.0.95"}, {"status": "affected", "version": "3.0.96"}, {"status": "affected", "version": "3.0.97"}]}], "timeline": [{"lang": "en", "time": "2026-05-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-05-17T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-05-17T11:33:11.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/364392", "name": "VDB-364392 | vercel ai PR Branch Name Interpolation prettier-on-automerge.yml run os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/364392/cti", "name": "VDB-364392 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/811402", "name": "Submit #811402 | vercel ai @ai-sdk/amazon-bedrock@3.0.97 OS Command Injection (CWE-78)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-05-17T22:30:09.659Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8767", "state": "PUBLISHED", "dateUpdated": "2026-05-18T14:30:55.942Z", "dateReserved": "2026-05-17T09:28:03.647Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-05-17T22:30:09.659Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"cpes": ["cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:*"], "modules": ["PR Branch Name Interpolation"], "product": "ai", "vendor": "vercel", "versions": [{"status": "affected", "version": "3.0.0"}, {"status": "affected", "version": "3.0.1"}, {"status": "affected", "version": "3.0.2"}, {"status": "affected", "version": "3.0.3"}, {"status": "affected", "version": "3.0.4"}, {"status": "affected", "version": "3.0.5"}, {"status": "affected", "version": "3.0.6"}, {"status": "affected", "version": "3.0.7"}, {"status": "affected", "version": "3.0.8"}, {"status": "affected", "version": "3.0.9"}, {"status": "affected", "version": "3.0.10"}, {"status": "affected", "version": "3.0.11"}, {"status": "affected", "version": "3.0.12"}, {"status": "affected", "version": "3.0.13"}, {"status": "affected", "version": "3.0.14"}, {"status": "affected", "version": "3.0.15"}, {"status": "affected", "version": "3.0.16"}, {"status": "affected", "version": "3.0.17"}, {"status": "affected", "version": "3.0.18"}, {"status": "affected", "version": "3.0.19"}, {"status": "affected", "version": "3.0.20"}, {"status": "affected", "version": "3.0.21"}, {"status": "affected", "version": "3.0.22"}, {"status": "affected", "version": "3.0.23"}, {"status": "affected", "version": "3.0.24"}, {"status": "affected", "version": "3.0.25"}, {"status": "affected", "version": "3.0.26"}, {"status": "affected", "version": "3.0.27"}, {"status": "affected", "version": "3.0.28"}, {"status": "affected", "version": "3.0.29"}, {"status": "affected", "version": "3.0.30"}, {"status": "affected", "version": "3.0.31"}, {"status": "affected", "version": "3.0.32"}, {"status": "affected", "version": "3.0.33"}, {"status": "affected", "version": "3.0.34"}, {"status": "affected", "version": "3.0.35"}, {"status": "affected", "version": "3.0.36"}, {"status": "affected", "version": "3.0.37"}, {"status": "affected", "version": "3.0.38"}, {"status": "affected", "version": "3.0.39"}, {"status": "affected", "version": "3.0.40"}, {"status": "affected", "version": "3.0.41"}, {"status": "affected", "version": "3.0.42"}, {"status": "affected", "version": "3.0.43"}, {"status": "affected", "version": "3.0.44"}, {"status": "affected", "version": "3.0.45"}, {"status": "affected", "version": "3.0.46"}, {"status": "affected", "version": "3.0.47"}, {"status": "affected", "version": "3.0.48"}, {"status": "affected", "version": "3.0.49"}, {"status": "affected", "version": "3.0.50"}, {"status": "affected", "version": "3.0.51"}, {"status": "affected", "version": "3.0.52"}, {"status": "affected", "version": "3.0.53"}, {"status": "affected", "version": "3.0.54"}, {"status": "affected", "version": "3.0.55"}, {"status": "affected", "version": "3.0.56"}, {"status": "affected", "version": "3.0.57"}, {"status": "affected", "version": "3.0.58"}, {"status": "affected", "version": "3.0.59"}, {"status": "affected", "version": "3.0.60"}, {"status": "affected", "version": "3.0.61"}, {"status": "affected", "version": "3.0.62"}, {"status": "affected", "version": "3.0.63"}, {"status": "affected", "version": "3.0.64"}, {"status": "affected", "version": "3.0.65"}, {"status": "affected", "version": "3.0.66"}, {"status": "affected", "version": "3.0.67"}, {"status": "affected", "version": "3.0.68"}, {"status": "affected", "version": "3.0.69"}, {"status": "affected", "version": "3.0.70"}, {"status": "affected", "version": "3.0.71"}, {"status": "affected", "version": "3.0.72"}, {"status": "affected", "version": "3.0.73"}, {"status": "affected", "version": "3.0.74"}, {"status": "affected", "version": "3.0.75"}, {"status": "affected", "version": "3.0.76"}, {"status": "affected", "version": "3.0.77"}, {"status": "affected", "version": "3.0.78"}, {"status": "affected", "version": "3.0.79"}, {"status": "affected", "version": "3.0.80"}, {"status": "affected", "version": "3.0.81"}, {"status": "affected", "version": "3.0.82"}, {"status": "affected", "version": "3.0.83"}, {"status": "affected", "version": "3.0.84"}, {"status": "affected", "version": "3.0.85"}, {"status": "affected", "version": "3.0.86"}, {"status": "affected", "version": "3.0.87"}, {"status": "affected", "version": "3.0.88"}, {"status": "affected", "version": "3.0.89"}, {"status": "affected", "version": "3.0.90"}, {"status": "affected", "version": "3.0.91"}, {"status": "affected", "version": "3.0.92"}, {"status": "affected", "version": "3.0.93"}, {"status": "affected", "version": "3.0.94"}, {"status": "affected", "version": "3.0.95"}, {"status": "affected", "version": "3.0.96"}, {"status": "affected", "version": "3.0.97"}]}], "source": "cna@vuldb.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C80CA5C-3BEC-499F-85D5-5E81491D37D6", "versionEndIncluding": "3.0.97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-8767", "lastModified": "2026-06-17T11:04:25.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-8767", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-18T14:30:43.479216Z", "version": "2.0.3"}}]}, "published": "2026-05-17T23:17:02.810", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/submit/811402"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/vuln/364392"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/vuln/364392/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.25"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.26"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.27"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.28"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.29"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.30"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.31"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.32"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.33"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.34"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.35"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.36"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.37"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.38"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.39"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.40"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.41"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.42"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.43"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.44"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.45"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.46"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.47"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.48"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.49"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.50"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.51"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.52"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.53"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.54"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.55"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.56"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.57"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.58"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.59"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.60"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.61"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.62"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.63"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.64"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.65"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.66"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.67"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.68"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.69"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.70"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.71"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.72"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.73"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.74"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.75"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.76"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.77"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.78"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.79"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.80"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.81"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.82"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.83"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.84"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.85"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.86"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.87"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.88"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.89"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.90"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.91"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.92"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.93"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.94"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.95"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.96"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.97"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ai", "source": "cna", "vendor": "vercel"}, "product": "ai", "vendor": "vercel"}], "created": "2026-05-17T23:30:12.389519+00:00", "updated": "2026-06-18T08:00:16.457939+00:00", "vendors": ["vercel", "vercel$PRODUCT$ai"]}