CVE-2026-5630
MEDIUMassafelovic gpt-researcher Report API app.py cross site scripting
Title source: cnaDescription
A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
References (5)
Core 5
Core References
Vdb Entry vdb-entry
VDB-355418 | assafelovic gpt-researcher Report API app.py cross site scripting
https://vuldb.com/vuln/355418
Signature, Permissions Required signature
permissions-required
VDB-355418 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/355418/cti
Third Party Advisory third-party-advisory
Submit #785856 | assafelovic gpt-researcher 3.4.3 Stored Cross-Site Scripting (XSS)
https://vuldb.com/submit/785856
Exploit exploit
issue-tracking
https://github.com/assafelovic/gpt-researcher/issues/1693
Product product
https://github.com/assafelovic/gpt-researcher/
Scores
CVSS v3
4.3
EPSS
0.0034
EPSS Percentile
25.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (4)
assafelovic/gpt-researcher
3.4.0
assafelovic/gpt-researcher
3.4.1
assafelovic/gpt-researcher
3.4.2
assafelovic/gpt-researcher
3.4.3
Published
Apr 06, 2026
Tracked Since
Apr 06, 2026