Is there a public PoC exploit available for CVE-2026-6878?

Yes, a public proof-of-concept exploit is available for CVE-2026-6878. Prioritise patching immediately. EPSS: 0.0%.

ByteDance verl CVE-2026-6878

Q: What is the CVSS score of CVE-2026-6878?

CVE-2026-6878 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-25146 LOW

Privilege Issues (CWE-265)

2026-04-23 VulDB

GHSA-h57c-v2v3-5v3v

Information Disclosure

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.3 (MEDIUM) 2.9 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 23, 2026 - 07:07 vuln.today

CVSS changed

Apr 23, 2026 - 00:22 NVD

5.6 (MEDIUM) 6.3 (MEDIUM)

EUVD ID Assigned

Apr 23, 2026 - 00:15 euvd

EUVD-2026-25146

Analysis Generated

Apr 23, 2026 - 00:15 vuln.today

CVE Published

Apr 23, 2026 - 00:00 nvd

LOW 2.9

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on verl (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.7.1.

DescriptionNVD

A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Sandbox bypass in ByteDance verl up to version 0.7.0 allows remote attackers to achieve limited information disclosure through manipulation of the math_equal function in prime_math/grader.py. The vulnerability requires high attack complexity and has been publicly documented with exploit code available, though the vendor has not responded to early disclosure attempts.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6878 vulnerability details – vuln.today

Back