Is there a public PoC exploit available for CVE-2026-5630?

Yes, a public proof-of-concept exploit is available for CVE-2026-5630. Prioritise patching immediately. EPSS: 0.0%.

Gpt Researcher CVE-2026-5630

Q: What is the CVSS score of CVE-2026-5630?

CVE-2026-5630 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19184 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 VulDB

XSS Gpt Researcher

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 06, 2026 - 07:00 euvd

EUVD-2026-19184

Analysis Generated

Apr 06, 2026 - 07:00 vuln.today

CVE Published

Apr 06, 2026 - 06:15 nvd

MEDIUM 5.3

DescriptionCVE.org

A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Stored cross-site scripting (XSS) in assafelovic gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via the Report API in backend/server/app.py. The vulnerability requires user interaction (report viewing) to trigger payload execution and carries low integrity impact (CVSS 4.3). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a moderate exploitation risk despite its low CVSS score (4.3). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers the Report API endpoint in a publicly hosted gpt-researcher instance and crafts a malicious URL containing JavaScript payload in a report parameter (e.g., /api/report?content=<script>...</script>). When a legitimate user clicks the link or the payload is stored and viewed by another user, the JavaScript executes in their browser, potentially stealing session cookies, API tokens, or redirecting to a phishing site. …
Remediation	No vendor-released patched version identified at time of analysis; the project has not responded to the early notification. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5630 vulnerability details – vuln.today

Back