EUVD-2026-19186CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extract_command_data of the file backend/server/server_utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Analysis
Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all gpt-researcher deployments and their versions using asset inventory tools; isolate or disable any instances running versions 3.4.3 or earlier if internet-facing. Within 7 days: Monitor the assafelovic/gpt-researcher GitHub repository and vendor advisories for patch availability; consider implementing network segmentation to restrict WebSocket endpoint access to trusted networks only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today