| عنوان | assafelovic gpt-researcher 3.4.3 Stored Cross-Site Scripting (XSS) |
|---|
| الوصف | GPT Researcher v3.4.3 and earlier versions are vulnerable to Stored Cross-Site Scripting (XSS) through the unauthenticated Report API. An attacker can inject arbitrary HTML and JavaScript into research reports via `POST /api/reports` or `PUT /api/reports/{id}` without authentication. The injected payload is stored server-side and rendered unsanitized in the NextJS frontend when any user navigates to the report URL (`/research/{id}`). The NextJS frontend uses `remark-html` with `sanitize: false` and renders the output via React's `dangerouslySetInnerHTML`, executing the attacker's JavaScript in the victim's browser. |
|---|
| المصدر | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1693 |
|---|
| المستخدم | Yu-Bao (UID 96702) |
|---|
| ارسال | 23/03/2026 03:23 AM (27 أيام منذ) |
|---|
| الاعتدال | 05/04/2026 09:12 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 355418 [assafelovic gpt-researcher حتى 3.4.3 Report API backend/server/app.py البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|