PT-2026-33712 · Modelscope · Agentscope

Eric-F

Published

2026-04-20

Updated

2026-04-21

CVE-2026-6606

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions modelscope agentscope versions prior to 1.0.19

Description A server-side request forgery (SSRF) exists in the process audio block() function within the file src/agentscope/agent/ agent base.py. This issue allows a remote attacker to perform the attack by manipulating the url argument. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.

Recommendations Update to a version newer than 1.0.18. As a temporary workaround, restrict access to the process audio block() function to minimize the risk of exploitation.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-6606

GHSA-CRX8-WPV6-JRJ2

Affected Products

Agentscope

PT-2026-33712 · Modelscope · Agentscope

CVE-2026-6606

Weakness Enumeration

Related Identifiers

Affected Products

References · 9