CVE-2026-46526

Name of the Vulnerable Software and Affected Versions local-deep-research versions prior to 1.6.10

Description A logical flaw in the URL checking logic allows attackers to bypass security filters, leading to Server-Side Request Forgery (SSRF). The software uses the validate url function to perform security checks on the host portion of a URL extracted by urlparse. However, a discrepancy exists between how urlparse and the requests library parse URLs. For example, in the safe get() function, validate url may identify a URL as pointing to a public IP, while requests.get interprets the same URL as pointing to an internal address. This occurs because urlparse may treat certain characters, such as backslashes, as regular characters, whereas requests may treat them as path characters, allowing an attacker to redirect requests to internal network resources.

Recommendations Upgrade to version 1.6.10 or later.