CVE-2026-45366 | universal-tool-calling-protocol typescript-utcp up to 1.1.1 registerManual server-side request forgery (GHSA-r8j5-8747-88cm)

CVE-2026-45366 is a blind SSRF vulnerability in typescript-utcp (<=1.1.1) where an attacker-hosted OpenAPI spec can cause the library to invoke internal HTTP endpoints (e.g., 127.0.0.1 or 169.254.169.254) by exploiting a validation inconsistency between registerManual and callTool; the issue is remote and unauthenticated but no public exploit is available and it is fixed in version 1.1.2 — upgrade is recommended.