CVE-2026-5003 MEDIUM

CVE-2026-5003: PromtEngineer localGPT Web api_server.py handle_index information disclosure

Vendor Promtengineer
Product localGPT
Weakness CWE-200 · Info exposure
Published March 28, 2026
Last update March 30, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This affects the function handle_index of the file rag_system/api_server.py of the component Web Interface. Performing a manipulation results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

March 28, 2026 CVE published
March 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-34272 Nagios Log Server < 2024R2.0.3 Non-Empty Default Dashboard Fallback CVE-2024-52280 Users can issue watch commands for arbitrary resources CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users CVE-2024-22294 WordPress Download IP2Location Country Blocker Plugin <= 2.33.3 is vulnerable to Sensitive Data Exposure CVE-2026-5847 code-projects Movie Ticketing System SQL Database Backup File moviedb.sql information disclosure