Description
A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Assess Impact
AI Analysis

Impact

The gpt‑researcher project contains a cross‑site scripting flaw in the Report API endpoint in the backend/server/app.py component, active in all releases up to 3.4.3. The flaw allows remote attackers to inject malicious JavaScript that runs in the context of the victim’s browser when the report page is rendered, potentially stealing session cookies, hijacking accounts, or executing additional client‑side code. This issue is classified as CWE‑79 and involves code execution paths identified as CWE‑94. The impact is the loss of confidentiality and integrity of user data and the possibility of executing arbitrary client‑side code on users’ machines.

Affected Systems

The vulnerability affects the gpt‑researcher application maintained by the user assafelovic, specifically the Report API logic in backend/server/app.py. All releases from the initial release through 3.4.3 are affected. The repository is hosted on GitHub and users can download the source or clone the project from https://github.com/assafelovic/gpt‑researcher.

Risk and Exploitability

The CVSS v3 score of 5.3 indicates a moderate risk, and the EPSS score is not available, so the exact likelihood cannot be quantified. The vulnerability is exploitable remotely, and published exploit scripts are available on GitHub and other vulnerability databases, making it a realistic threat. The issue is not currently listed in the CISA KEV catalog, but the existence of a publicly available exploit increases the urgency. Attackers can trigger the flaw by sending crafted requests to the Report API endpoint, and the resulting XSS can be used to steal session cookies or deliver further malicious payloads to unsuspecting users.

Generated by OpenCVE AI on April 6, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gpt‑researcher to a version newer than 3.4.3 once the maintainer releases a patch.
  • If a newer release is not yet available, monitor the project's GitHub issues (e.g., issue #1693) for a fix or update notification.
  • Restrict or sanitize input to the Report API endpoint to eliminate the possibility of injecting malicious script, ensuring proper output encoding.
  • If the Report API is not essential for your deployment, consider disabling or removing that endpoint until a fix is applied.
  • Perform a code review of the backend/server/app.py function that is impacted and audit for other potential injection points.

Generated by OpenCVE AI on April 6, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Assafelovic
Assafelovic gpt-researcher
Vendors & Products Assafelovic
Assafelovic gpt-researcher

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title assafelovic gpt-researcher Report API app.py cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Assafelovic Gpt-researcher
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:55:58.182Z

Reserved: 2026-04-05T19:12:39.573Z

Link: CVE-2026-5630

cve-icon Vulnrichment

Updated: 2026-04-06T14:55:49.170Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T07:16:01.757

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:19Z

Weaknesses