CVE-2026-0764

Critical CVSS: 9.8

GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957.

Vendor

Binary-husky

Product

Gpt Academic

CWE

CWE-502

Yayın Tarihi

2026-01-23 04:16:03

Güncelleme

2026-02-18 16:42:46

Source Identifier

zdi-disclosures@trendmicro.com

KEV Date Added

Kategoriler

CWE-502 Gpt Academic CRITICAL Binary-husky 2026

Referanslar

https://www.zerodayinitiative.com/advisories/ZDI-26-030/

Benzer Kayıtlar

Critical

CVE-2026-0763

GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This…

High

CVE-2026-0762

GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allow…

Medium

CVE-2025-10236

A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the…

Medium

CVE-2025-0183

A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary-husky/gpt_academic…

Medium

CVE-2024-12387

A vulnerability in the binary-husky/gpt_academic repository, as of commit git 3890467, allows an attacker to crash the s…

Medium

CVE-2024-12388

A vulnerability in binary-husky/gpt_academic version 310122f allows for a Regular Expression Denial of Service (ReDoS) a…