PT-2026-33729 · Superagi · Superagi

Eric-Y

Published

2026-04-20

Updated

2026-04-20

CVE-2026-6616

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions TransformerOptimus SuperAGI versions prior to 0.0.15

Description An issue in the WebScraperTool component within the file superagi/helper/webpage extractor.py allows for server-side request forgery, which is a flaw where an attacker can induce the server to make requests to an unintended location. This can be triggered remotely through the functions extract with bs4(), extract with 3k(), or extract with lxml().

Recommendations As a temporary workaround, consider restricting the use of the functions extract with bs4(), extract with 3k(), and extract with lxml() until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-6616

Affected Products

Superagi

PT-2026-33729 · Superagi · Superagi

CVE-2026-6616

Weakness Enumeration

Related Identifiers

Affected Products

References · 6