{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0613", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-01-05T17:40:07.817Z", "datePublished": "2026-01-16T12:46:02.733Z", "dateUpdated": "2026-01-16T21:41:53.497Z"}, "containers": {"cna": {"title": "CVE-2026-0613", "descriptions": [{"lang": "en", "value": "The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "TheLibrarian", "product": "TheLibrarian.io", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "references": [{"url": "https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure"}, {"url": "https://thelibrarian.io/"}], "x_generator": {"engine": "VINCE 3.0.31", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-0613"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-01-16T12:46:02.733Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T21:41:27.699155Z", "id": "CVE-2026-0613", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:41:53.497Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T21:41:27.699155Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:41:46.800Z"}}], "cna": {"title": "CVE-2026-0613", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "TheLibrarian", "product": "TheLibrarian.io", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0"}]}], "references": [{"url": "https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure"}, {"url": "https://thelibrarian.io/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.31", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-0613"}, "descriptions": [{"lang": "en", "value": "The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-01-16T12:46:02.733Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0613", "state": "PUBLISHED", "dateUpdated": "2026-01-16T21:41:53.497Z", "dateReserved": "2026-01-05T17:40:07.817Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-01-16T12:46:02.733Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions."}], "id": "CVE-2026-0613", "lastModified": "2026-01-16T22:16:19.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-16T13:16:11.780", "references": [{"source": "cret@cert.org", "url": "https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure"}, {"source": "cret@cert.org", "url": "https://thelibrarian.io/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{}