EUVD-2026-19190
GHSA-8p84-j4x4-c993
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A vulnerability was determined in assafelovic gpt-researcher up to 3.4.3. Affected is an unknown function of the component ws Endpoint. Executing a manipulation of the argument source_urls can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Analysis
Server-side request forgery in gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to manipulate the source_urls parameter at the ws endpoint, enabling partial confidentiality, integrity, and availability impacts. A publicly available exploit exists via GitHub issue #1696, though the vendor has not responded to early disclosure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all gpt-researcher deployments in production and air-gap or restrict network access to the ws endpoint pending further assessment. Within 7 days: implement WAF rules blocking suspicious source_urls parameters, isolate affected instances to trusted networks only, and contact gpt-researcher maintainers for status on patch timeline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today