Description
A vulnerability has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The impacted element is the function _route_using_overviews of the file backend/server.py of the component LLM Prompt Handler. Such manipulation leads to injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Injection
Action: Assess
AI Analysis

Impact

The vulnerability resides in the _route_using_overviews function of the backend/server.py module in PromtEngineer localGPT. By sending specially crafted input, an attacker can cause an injection that may allow execution of arbitrary code or commands. The description explicitly notes that the attack may be performed from remote, indicating that an unauthenticated client can trigger the flaw. The CVSS score of 6.9 portrays a moderate severity risk, and while the exploit is publicly disclosed, no critical mitigations are publicly published, raising the potential for widespread exploitation.

Affected Systems

PromtEngineer localGPT is affected. The vulnerability applies to any release built from commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054 or earlier. The project employs a rolling release model, so exact version numbers for patched releases are not advertised. Users should verify their local GPT component against the recent Git repository history for an updated build.

Risk and Exploitability

The attack vector is remote and does not require authentication, as evidenced by the description. Although the EPSS score is not available, the public disclosure and absence of vendor response suggest a realistic risk of exploitation. The CVSS score of 6.9 indicates that a successful attack could lead to significant damage, such as unauthorized code execution or data breach. The lack of inclusion in CISA's KEV catalog does not diminish the urgency, but it does reflect that the vulnerability is not yet widely catalogued in national spotting efforts.

Generated by OpenCVE AI on March 28, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current localGPT commit and check whether an updated release has been issued by PromtEngineer.
  • If a new release is available, upgrade or apply the vendor‑issued patch as soon as possible.
  • If no patch exists, restrict external access to the endpoint that triggers _route_using_overviews or disable unneeded routes entirely.
  • Implement input validation and sanitization on the server side to prevent the injection patterns described.
  • Monitor network traffic and application logs for unusual requests that resemble the exploit vector and respond before impact occurs.

Generated by OpenCVE AI on March 28, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Promtengineer
Promtengineer localgpt
Vendors & Products Promtengineer
Promtengineer localgpt

Sat, 28 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The impacted element is the function _route_using_overviews of the file backend/server.py of the component LLM Prompt Handler. Such manipulation leads to injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Title PromtEngineer localGPT LLM Prompt server.py _route_using_overviews injection
Weaknesses CWE-707
CWE-74
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Promtengineer Localgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T14:53:10.304Z

Reserved: 2026-03-27T13:48:27.528Z

Link: CVE-2026-5002

cve-icon Vulnrichment

Updated: 2026-03-30T13:14:35.558Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T17:16:45.450

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:00Z

Weaknesses