Gpt Researcher
Monthly
Server-side request forgery in gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to manipulate the source_urls parameter at the ws endpoint, enabling partial confidentiality, integrity, and availability impacts. A publicly available exploit exists via GitHub issue #1696, though the vendor has not responded to early disclosure. EPSS data not provided, but the low attack complexity (AC:L) and proof-of-concept availability elevate immediate risk for exposed instances.
Missing authentication in gpt-researcher HTTP REST API (versions ≤3.4.3) allows remote attackers to bypass access controls and interact with the API without credentials. Publicly available exploit code exists (GitHub issue #1695), enabling unauthorized information disclosure, data manipulation, and service disruption. CVSS 7.3 with network attack vector, low complexity, and no privileges required indicates significant exploitability. Vendor has not responded to early disclosure (VulDB submission 785874), leaving users without official patch guidance.
Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.
Stored cross-site scripting (XSS) in assafelovic gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via the Report API in backend/server/app.py. The vulnerability requires user interaction (report viewing) to trigger payload execution and carries low integrity impact (CVSS 4.3). Publicly available exploit code exists, and the vendor has not addressed the issue despite early notification.
Cross-site scripting (XSS) vulnerability in assafelovic gpt-researcher up to version 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via manipulation of the task argument in the WebSocket Interface component. Publicly available exploit code exists, and the vulnerability affects the file gpt_researcher/skills/researcher.py with low CVSS severity (4.3) but confirmed proof-of-concept availability indicating active technical feasibility.
Server-side request forgery in gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to manipulate the source_urls parameter at the ws endpoint, enabling partial confidentiality, integrity, and availability impacts. A publicly available exploit exists via GitHub issue #1696, though the vendor has not responded to early disclosure. EPSS data not provided, but the low attack complexity (AC:L) and proof-of-concept availability elevate immediate risk for exposed instances.
Missing authentication in gpt-researcher HTTP REST API (versions ≤3.4.3) allows remote attackers to bypass access controls and interact with the API without credentials. Publicly available exploit code exists (GitHub issue #1695), enabling unauthorized information disclosure, data manipulation, and service disruption. CVSS 7.3 with network attack vector, low complexity, and no privileges required indicates significant exploitability. Vendor has not responded to early disclosure (VulDB submission 785874), leaving users without official patch guidance.
Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.
Stored cross-site scripting (XSS) in assafelovic gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via the Report API in backend/server/app.py. The vulnerability requires user interaction (report viewing) to trigger payload execution and carries low integrity impact (CVSS 4.3). Publicly available exploit code exists, and the vendor has not addressed the issue despite early notification.
Cross-site scripting (XSS) vulnerability in assafelovic gpt-researcher up to version 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via manipulation of the task argument in the WebSocket Interface component. Publicly available exploit code exists, and the vulnerability affects the file gpt_researcher/skills/researcher.py with low CVSS severity (4.3) but confirmed proof-of-concept availability indicating active technical feasibility.