CVE-2026-5631

Name of the Vulnerable Software and Affected Versions assafelovic gpt-researcher versions through 3.4.3

Description A code injection issue exists in the extract command data function within the backend/server/server utils.py file, associated with the ws Endpoint component. Manipulation of the args argument can lead to code injection, potentially allowing remote attacks. The exploit for this issue has been publicly disclosed, and the project maintainers have not yet responded to reports about the problem.

Recommendations Versions prior to 3.4.4 should be updated.