CVE-2026-5631

Source
https://cve.org/CVERecord?id=CVE-2026-5631
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5631.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5631
Published
2026-04-06T06:30:14.722Z
Modified
2026-07-15T01:49:04.947771317Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
assafelovic gpt-researcher ws Endpoint server_utils.py extract_command_data code injection
Details

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/server_utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "cna_assigner": "VulDB",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5631.json",
    "cwe_ids": [
        "CWE-74",
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/assafelovic/gpt-researcher

Affected ranges

Type
GIT
Repo
https://github.com/assafelovic/gpt-researcher
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "3.4.0"
        },
        {
            "last_affected": "3.4.0"
        },
        {
            "introduced": "3.4.1"
        },
        {
            "last_affected": "3.4.1"
        },
        {
            "introduced": "3.4.2"
        },
        {
            "last_affected": "3.4.2"
        },
        {
            "introduced": "3.4.3"
        },
        {
            "last_affected": "3.4.3"
        }
    ]
}

Affected versions

3.*
3.4.0
3.4.1
3.4.2
3.4.3
v3.*
v3.4.0
v3.4.1
v3.4.2
v3.4.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5631.json"