Platform
javascript
Component
gpt-researcher
Fixed in
3.4.1
3.4.2
3.4.3
3.4.4
A cross-site scripting (XSS) vulnerability has been discovered in gpt-researcher versions 3.4.0 through 3.4.3. This flaw stems from improper handling of the 'task' argument within the WebSocket Interface component. Successful exploitation allows an attacker to inject malicious scripts, potentially leading to session hijacking or defacement. The vulnerability is remotely exploitable and a public proof-of-concept is available, highlighting the urgency of remediation.
The primary impact of CVE-2026-5625 is the potential for cross-site scripting (XSS) attacks. An attacker could leverage this vulnerability to inject malicious JavaScript code into the gpt-researcher application. This could allow them to steal user session cookies, redirect users to phishing sites, or deface the application's interface. Given the public availability of an exploit, the risk of exploitation is elevated. The WebSocket Interface component is likely used for communication between the client and server, making it a critical attack vector. The lack of response from the project developers further exacerbates the risk, as timely security updates are unlikely.
CVE-2026-5625 is a publicly disclosed vulnerability with a readily available proof-of-concept. This significantly increases the likelihood of exploitation. The vulnerability was reported to the project on 2026-04-06, but there has been no response, indicating a potential lack of active maintenance. The EPSS score is likely to be medium or high due to the public exploit and lack of developer response. Monitor for unusual WebSocket traffic and suspicious JavaScript execution within the gpt-researcher application.
Exploit Status
EPSS
0.03% (11% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-5625 is to upgrade to a patched version of gpt-researcher. As no fixed version is currently available, immediate action is required. Implement strict input validation on the 'task' argument, ensuring it conforms to expected formats and lengths. Employ robust output encoding to prevent injected scripts from being executed by the browser. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting the WebSocket Interface. Regularly review and update security policies to address emerging threats.
Update to a patched version of gpt-researcher that fixes the XSS vulnerability. Check the project documentation or repository for specific upgrade instructions. Until a patched version is released, avoid using the application and manipulating task arguments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5625 is a cross-site scripting (XSS) vulnerability affecting gpt-researcher versions 3.4.0–3.4.3. It allows attackers to inject malicious scripts via manipulation of the 'task' argument.
If you are using gpt-researcher versions 3.4.0 through 3.4.3 and have not upgraded, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of gpt-researcher. As no patch is available, implement input validation and output encoding as immediate mitigations.
A public proof-of-concept exists, indicating a high probability of active exploitation. Monitor your systems for suspicious activity.
As of the current date, no official advisory has been released by the gpt-researcher project. Monitor the project's repository and communication channels for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.