CVE-2026-0763
CRITICALCVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958.
Analysis
GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all GPT Academic deployments across the organization and isolate affected systems from production networks if operationally feasible. Within 7 days: Implement network-level restrictions (WAF rules, IP whitelisting) and disable the subprocess functionality if the application permits. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today