EUVD-2026-19178
GHSA-9v4r-x2jq-w7jg
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gpt_researcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Analysis
Cross-site scripting (XSS) vulnerability in assafelovic gpt-researcher up to version 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via manipulation of the task argument in the WebSocket Interface component. Publicly available exploit code exists, and the vulnerability affects the file gpt_researcher/skills/researcher.py with low CVSS severity (4.3) but confirmed proof-of-concept availability indicating active technical feasibility.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today