Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by Helicone

    CVE-2026-15508 (GCVE-0-2026-15508)

    Vulnerability from nvd – Published: 2026-07-12 22:15 – Updated: 2026-07-12 22:15
    VLAI
    Title
    Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery
    Summary
    A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377837 vdb-entrytechnical-description
    https://vuldb.com/vuln/377837/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15508 third-party-advisory
    https://vuldb.com/submit/845671 third-party-advisory
    https://github.com/oscar2744/CVE-Submit/issues/1 exploitissue-tracking
    Impacted products
    Vendor Product Version
    Helicone ai-gateway Affected: 0.2.0-beta.0
    Affected: 0.2.0-beta.1
    Affected: 0.2.0-beta.2
    Affected: 0.2.0-beta.3
    Affected: 0.2.0-beta.4
    Affected: 0.2.0-beta.5
    Affected: 0.2.0-beta.6
    Affected: 0.2.0-beta.7
    Affected: 0.2.0-beta.8
    Affected: 0.2.0-beta.9
    Affected: 0.2.0-beta.10
    Affected: 0.2.0-beta.11
    Affected: 0.2.0-beta.12
    Affected: 0.2.0-beta.13
    Affected: 0.2.0-beta.14
    Affected: 0.2.0-beta.15
    Affected: 0.2.0-beta.16
    Affected: 0.2.0-beta.17
    Affected: 0.2.0-beta.18
    Affected: 0.2.0-beta.19
    Affected: 0.2.0-beta.20
    Affected: 0.2.0-beta.21
    Affected: 0.2.0-beta.22
    Affected: 0.2.0-beta.23
    Affected: 0.2.0-beta.24
    Affected: 0.2.0-beta.25
    Affected: 0.2.0-beta.26
    Affected: 0.2.0-beta.27
    Affected: 0.2.0-beta.28
    Affected: 0.2.0-beta.29
    Affected: 0.2.0-beta.30
        cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    havel8964 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "AWS Metadata Service"
              ],
              "product": "ai-gateway",
              "vendor": "Helicone",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0-beta.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.9"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.10"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.11"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.12"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.13"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.14"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.15"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.16"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.17"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.18"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.19"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.20"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.21"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.22"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.23"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.24"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.25"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.26"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.27"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.28"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.29"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "havel8964 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T22:15:11.407Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377837 | Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377837"
            },
            {
              "name": "VDB-377837 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377837/cti"
            },
            {
              "name": "CVE-2026-15508 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15508"
            },
            {
              "name": "Submit #845671 | GitHub Helicone ai-gateway v0.2.0-beta.30 Server-Side Request Forgery",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/845671"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/oscar2744/CVE-Submit/issues/1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T07:57:28.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15508",
        "datePublished": "2026-07-12T22:15:11.407Z",
        "dateReserved": "2026-07-12T05:52:24.844Z",
        "dateUpdated": "2026-07-12T22:15:11.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15508 (GCVE-0-2026-15508)

    Vulnerability from cvelistv5 – Published: 2026-07-12 22:15 – Updated: 2026-07-12 22:15
    VLAI
    Title
    Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery
    Summary
    A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377837 vdb-entrytechnical-description
    https://vuldb.com/vuln/377837/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15508 third-party-advisory
    https://vuldb.com/submit/845671 third-party-advisory
    https://github.com/oscar2744/CVE-Submit/issues/1 exploitissue-tracking
    Impacted products
    Vendor Product Version
    Helicone ai-gateway Affected: 0.2.0-beta.0
    Affected: 0.2.0-beta.1
    Affected: 0.2.0-beta.2
    Affected: 0.2.0-beta.3
    Affected: 0.2.0-beta.4
    Affected: 0.2.0-beta.5
    Affected: 0.2.0-beta.6
    Affected: 0.2.0-beta.7
    Affected: 0.2.0-beta.8
    Affected: 0.2.0-beta.9
    Affected: 0.2.0-beta.10
    Affected: 0.2.0-beta.11
    Affected: 0.2.0-beta.12
    Affected: 0.2.0-beta.13
    Affected: 0.2.0-beta.14
    Affected: 0.2.0-beta.15
    Affected: 0.2.0-beta.16
    Affected: 0.2.0-beta.17
    Affected: 0.2.0-beta.18
    Affected: 0.2.0-beta.19
    Affected: 0.2.0-beta.20
    Affected: 0.2.0-beta.21
    Affected: 0.2.0-beta.22
    Affected: 0.2.0-beta.23
    Affected: 0.2.0-beta.24
    Affected: 0.2.0-beta.25
    Affected: 0.2.0-beta.26
    Affected: 0.2.0-beta.27
    Affected: 0.2.0-beta.28
    Affected: 0.2.0-beta.29
    Affected: 0.2.0-beta.30
        cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    havel8964 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "AWS Metadata Service"
              ],
              "product": "ai-gateway",
              "vendor": "Helicone",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0-beta.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.9"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.10"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.11"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.12"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.13"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.14"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.15"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.16"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.17"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.18"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.19"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.20"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.21"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.22"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.23"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.24"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.25"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.26"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.27"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.28"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.29"
                },
                {
                  "status": "affected",
                  "version": "0.2.0-beta.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "havel8964 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T22:15:11.407Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377837 | Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377837"
            },
            {
              "name": "VDB-377837 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377837/cti"
            },
            {
              "name": "CVE-2026-15508 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15508"
            },
            {
              "name": "Submit #845671 | GitHub Helicone ai-gateway v0.2.0-beta.30 Server-Side Request Forgery",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/845671"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/oscar2744/CVE-Submit/issues/1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T07:57:28.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15508",
        "datePublished": "2026-07-12T22:15:11.407Z",
        "dateReserved": "2026-07-12T05:52:24.844Z",
        "dateUpdated": "2026-07-12T22:15:11.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }