Description
A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gpt_researcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch ASAP
AI Analysis

Impact

A vulnerability was identified in the WebSocket interface component of the GPT‑Researcher project. The flaw resides in the researcher.py file, where the task argument is processed without adequate validation. This issue permits an attacker to inject arbitrary script code, leading to cross‑site scripting (XSS) that can execute client‑side code, potentially stealing credentials or hijacking sessions. The weakness is categorized as CWE‑79, indicating improper input handling for web content, and also involves dynamic code execution as described by CWE‑94.

Affected Systems

The vulnerability affects all releases of the GPT‑Researcher project up to and including version 3.4.3. The affected product is the WebSocket interface provided by the open‑source project maintained by “assafelovic.” No specific vendor or product name beyond the open‑source repository is listed, and affected versions are identified by the project's release history.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, but the vulnerability can be leveraged remotely and the exploit code is publicly available. While the EPSS score is not provided, the public availability of the exploit and the lack of an official patch suggest a non‑negligible risk. Attackers could target any exposed WebSocket endpoint to send a crafted task argument, triggering the XSS payload in connected clients. The vulnerability has not been added to the CISA KEV catalog, but the lack of patching implies that organizations using the affected commands should act promptly.

Generated by OpenCVE AI on April 6, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPT‑Researcher to a version newer than 3.4.3 once a patch is released.
  • Consider disabling the WebSocket interface or restricting it to trusted networks.
  • Implement server‑side validation of the 'task' argument to whitelist acceptable content and strip or escape potentially malicious characters.
  • Monitor WebSocket logs for unusual activity that may indicate exploitation attempts.
  • Keep the project repository actively monitored for any future vulnerability disclosures or remediation releases.

Generated by OpenCVE AI on April 6, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Assafelovic
Assafelovic gpt-researcher
Vendors & Products Assafelovic
Assafelovic gpt-researcher

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gpt_researcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title assafelovic gpt-researcher WebSocket researcher.py cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assafelovic Gpt-researcher
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T18:19:22.324Z

Reserved: 2026-04-05T16:56:14.695Z

Link: CVE-2026-5625

cve-icon Vulnrichment

Updated: 2026-04-06T18:19:18.694Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T06:16:21.860

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:22Z

Weaknesses