CVE-2026-55237

Source
https://cve.org/CVERecord?id=CVE-2026-55237
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55237.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55237
Aliases
  • GHSA-j2cp-jg5q-38wj
Published
2026-06-18T16:21:40.882Z
Modified
2026-07-08T08:12:41.979628089Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L CVSS Calculator
Summary
AutoGPT SignUp Page has DOM-Based XSS and Open Redirect
Details

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter (next), which is passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 0.6.62 patches the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55237.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601",
        "CWE-87"
    ]
}
References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type
GIT
Repo
https://github.com/significant-gravitas/autogpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.6.62"
        }
    ]
}

Affected versions

agbenchmark-v0.*
agbenchmark-v0.0.10
agpt-platform-beta-v0.*
agpt-platform-beta-v0.1.0
agpt-platform-beta-v0.1.1
agpt-platform-beta-v0.2.0
autogpt-platform-beta-v0.*
autogpt-platform-beta-v0.2.2
autogpt-platform-beta-v0.3.2
autogpt-platform-beta-v0.3.3
autogpt-platform-beta-v0.3.4
autogpt-platform-beta-v0.4.0
autogpt-platform-beta-v0.4.1
autogpt-platform-beta-v0.4.10
autogpt-platform-beta-v0.4.11
autogpt-platform-beta-v0.4.2
autogpt-platform-beta-v0.4.3
autogpt-platform-beta-v0.4.4
autogpt-platform-beta-v0.4.5
autogpt-platform-beta-v0.4.8
autogpt-platform-beta-v0.4.9
autogpt-platform-beta-v0.5.0
autogpt-platform-beta-v0.5.1
autogpt-platform-beta-v0.6.0
autogpt-platform-beta-v0.6.1
autogpt-platform-beta-v0.6.10
autogpt-platform-beta-v0.6.11
autogpt-platform-beta-v0.6.12
autogpt-platform-beta-v0.6.13
autogpt-platform-beta-v0.6.14
autogpt-platform-beta-v0.6.15
autogpt-platform-beta-v0.6.16
autogpt-platform-beta-v0.6.17
autogpt-platform-beta-v0.6.18
autogpt-platform-beta-v0.6.19
autogpt-platform-beta-v0.6.2
autogpt-platform-beta-v0.6.20
autogpt-platform-beta-v0.6.21
autogpt-platform-beta-v0.6.22
autogpt-platform-beta-v0.6.26
autogpt-platform-beta-v0.6.28
autogpt-platform-beta-v0.6.29
autogpt-platform-beta-v0.6.30
autogpt-platform-beta-v0.6.31
autogpt-platform-beta-v0.6.32
autogpt-platform-beta-v0.6.33
autogpt-platform-beta-v0.6.34
autogpt-platform-beta-v0.6.35
autogpt-platform-beta-v0.6.36
autogpt-platform-beta-v0.6.37
autogpt-platform-beta-v0.6.38
autogpt-platform-beta-v0.6.39
autogpt-platform-beta-v0.6.4
autogpt-platform-beta-v0.6.40
autogpt-platform-beta-v0.6.41
autogpt-platform-beta-v0.6.42
autogpt-platform-beta-v0.6.43
autogpt-platform-beta-v0.6.46
autogpt-platform-beta-v0.6.47
autogpt-platform-beta-v0.6.48
autogpt-platform-beta-v0.6.49
autogpt-platform-beta-v0.6.5
autogpt-platform-beta-v0.6.50
autogpt-platform-beta-v0.6.51
autogpt-platform-beta-v0.6.52
autogpt-platform-beta-v0.6.53
autogpt-platform-beta-v0.6.54
autogpt-platform-beta-v0.6.55
autogpt-platform-beta-v0.6.56
autogpt-platform-beta-v0.6.57
autogpt-platform-beta-v0.6.58
autogpt-platform-beta-v0.6.59
autogpt-platform-beta-v0.6.6
autogpt-platform-beta-v0.6.60
autogpt-platform-beta-v0.6.7
autogpt-platform-beta-v0.6.8
autogpt-platform-beta-v0.6.9
v0.*
v0.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55237.json"