{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6587", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T05:47:10.948Z", "datePublished": "2026-04-20T00:00:19.515Z", "dateUpdated": "2026-04-20T00:00:19.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T00:00:19.515Z"}, "title": "vibrantlabsai RAGAS Collections util.py _try_process_url server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "vibrantlabsai", "product": "RAGAS", "versions": [{"version": "0.4.0", "status": "affected"}, {"version": "0.4.1", "status": "affected"}, {"version": "0.4.2", "status": "affected"}, {"version": "0.4.3", "status": "affected"}], "modules": ["Collections Module"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T07:53:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-y (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358222", "name": "VDB-358222 | vibrantlabsai RAGAS Collections util.py _try_process_url server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358222/cti", "name": "VDB-358222 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791088", "name": "Submit #791088 | Exploding Gradients ragas latest (commit 2b38724) Path Traversal / Server-Side Request Forgery (CWE-22 / CWE-918)", "tags": ["third-party-advisory"]}, {"url": "https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6587", "lastModified": "2026-04-20T00:16:34.703", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T00:16:34.703", "references": [{"source": "cna@vuldb.com", "url": "https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791088"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358222"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358222/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.4.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.4.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.4.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "RAGAS", "source": "cna", "vendor": "vibrantlabsai"}, "product": "ragas", "vendor": "vibrantlabsai"}], "analysis": {"en": {"generated_at": "2026-04-20T01:20:25.233881+00:00", "value": {"mitigation_remediation": ["Upgrade RAGAS to a version that includes the SSRF fix (monitor vendor announcements for a patch release).", "Restrict outbound traffic from the RAGAS service by applying firewall or network access controls to limit which external resources the process can contact.", "Deploy a web application firewall or proxy that validates outbound URLs, ensuring only approved domains are reachable and blocking malicious SSRF requests."], "summary": {"action": "Monitor", "impact": "Server-side request forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of vibrantlabsai RAGAS version 0.4.3 and earlier. Any system running the Collections module within these versions is potentially at risk. No specific patch release is noted yet, and the vendor has not responded to disclosure attempts.", "description_and_impact": "A security flaw was identified in the RAGAS Collections module, specifically in the _try_process_url function of util.py. By manipulating the retrieved_contexts argument, an attacker can trigger a server\u2011side request forgery (SSRF) that allows the vulnerable server to issue arbitrary outbound HTTP requests. The flaw was publicly disclosed and can be exploited from a remote origin, potentially enabling access to internal networks or exfiltration of sensitive data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can remotely exploit the SSRF flaw through the exposed _try_process_url endpoint. Since a public exploit exists, the risk to environments lacking mitigation measures is significant."}}}}, "created": "2026-04-20T01:30:39.801084+00:00", "updated": "2026-04-20T01:30:39.904222+00:00", "vendors": ["vibrantlabsai", "vibrantlabsai$PRODUCT$ragas"]}