CVE-2026-5630 MEDIUM

CVE-2026-5630: assafelovic gpt-researcher Report API app.py cross site scripting

Vendor Assafelovic
Product gpt-researcher
Weakness CWE-79 · XSS
Published April 6, 2026
Last update April 6, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-2111 Events Manager <= 6.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2026-25490 Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation CVE-2023-2076 Campcodes Online Traffic Offense Management System Users.phpp cross site scripting CVE-2025-9879 Spotify Embed Creator <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-51935 WordPress Fast Video and Image Display plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability