| Title | assafelovic gpt-researcher 3.4.3 Reflected Cross-Site Scripting (XSS) |
|---|
| Description | GPT Researcher v3.4.3 and earlier versions are vulnerable to Reflected Cross-Site Scripting (XSS) via the research task name. When a user submits a research query containing HTML/JavaScript through the WebSocket interface, the backend includes the unsanitized task name in multiple WebSocket logs response messages. The lightweight frontend renders these log messages using innerHTML without any sanitization, causing the injected script to execute in the user's browser. No authentication is required to trigger this vulnerability. |
|---|
| Source | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1692 |
|---|
| User | Yu_Bao (UID 89348) |
|---|
| Submission | 03/23/2026 02:12 (15 days ago) |
|---|
| Moderation | 04/05/2026 18:56 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355415 [assafelovic gpt-researcher up to 3.4.3 WebSocket Interface researcher.py task cross site scripting] |
|---|
| Points | 20 |
|---|