CVE-2026-6587

Name of the Vulnerable Software and Affected Versions vibrantlabsai RAGAS versions prior to 0.4.4

Description A server-side request forgery exists in the Collections Module. A remote attacker can initiate this by manipulating the retrieved contexts argument within the try process local file() and try process url() functions located in the src/ragas/metrics/collections/multi modal faithfulness/util.py file.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the try process local file() and try process url() functions.