CVE-2026-5625 MEDIUM

CVE-2026-5625: assafelovic gpt-researcher WebSocket researcher.py cross site scripting

Vendor Assafelovic
Product gpt-researcher
Weakness CWE-79 · XSS
Published April 6, 2026
Last update April 6, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gpt_researcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-45778 Open XDMoD Vulnerable to Reflected Cross-Site Scripting (XSS) in Password Reset CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CVE-2025-67629 WordPress Basticom Framework plugin <= 1.5.2 - Cross Site Scripting (XSS) vulnerability CVE-2025-66468 Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors CVE-2024-1825 CodeAstro House Rental Management System User Registration Page cross site scripting