Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Vibrantlabsai RAGAS allows remote attackers to forge server requests
CVE-2026-6587
Summary
A security flaw in vibrantlabsai RAGAS version 0.4.3 or earlier allows an attacker to trick the system into making unauthorized requests on behalf of the server. This could be used to access sensitive data or disrupt the system. Update to version 0.4.4 or later to fix the issue.
Original title
A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi...
Original description
A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 20 Apr 2026 · Updated: 20 Apr 2026 · First seen: 20 Apr 2026