{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6606", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T14:12:04.157Z", "datePublished": "2026-04-20T04:45:11.806Z", "dateUpdated": "2026-04-20T04:45:11.806Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T04:45:11.806Z"}, "title": "modelscope agentscope _agent_base.py _process_audio_block server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "modelscope", "product": "agentscope", "versions": [{"version": "1.0.0", "status": "affected"}, {"version": "1.0.1", "status": "affected"}, {"version": "1.0.2", "status": "affected"}, {"version": "1.0.3", "status": "affected"}, {"version": "1.0.4", "status": "affected"}, {"version": "1.0.5", "status": "affected"}, {"version": "1.0.6", "status": "affected"}, {"version": "1.0.7", "status": "affected"}, {"version": "1.0.8", "status": "affected"}, {"version": "1.0.9", "status": "affected"}, {"version": "1.0.10", "status": "affected"}, {"version": "1.0.11", "status": "affected"}, {"version": "1.0.12", "status": "affected"}, {"version": "1.0.13", "status": "affected"}, {"version": "1.0.14", "status": "affected"}, {"version": "1.0.15", "status": "affected"}, {"version": "1.0.16", "status": "affected"}, {"version": "1.0.17", "status": "affected"}, {"version": "1.0.18", "status": "affected"}], "cpes": ["cpe:2.3:a:modelscope:agentscope:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in modelscope agentscope up to 1.0.18. This vulnerability affects the function _process_audio_block of the file src/agentscope/agent/_agent_base.py. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T16:17:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-f (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358241", "name": "VDB-358241 | modelscope agentscope _agent_base.py _process_audio_block server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358241/cti", "name": "VDB-358241 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792226", "name": "Submit #792226 | AgentScope <= 1.0.18 Server-Side Request Forgery (CWE-918)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/4e589eec07446726612dc416a7d80820", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in modelscope agentscope up to 1.0.18. This vulnerability affects the function _process_audio_block of the file src/agentscope/agent/_agent_base.py. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6606", "lastModified": "2026-04-20T05:16:15.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T05:16:15.987", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/4e589eec07446726612dc416a7d80820"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792226"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358241"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358241/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.18"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "agentscope", "source": "cna", "vendor": "modelscope"}, "product": "agentscope", "vendor": "modelscope"}], "analysis": {"en": {"generated_at": "2026-04-20T06:20:55.316030+00:00", "value": {"mitigation_remediation": ["Upgrade modelscope agentscope to a patched version that removes the insecure URL handling in _process_audio_block; if no update is immediately available, monitor the vendor\u2019s release notes for a fix.", "Restrict outbound traffic from the agentscope service by limiting allowed hostnames or IP addresses and blocking any unexpected internal endpoints to mitigate SSRF attempts.", "Implement network segmentation or firewall rules that isolate the agentscope component from critical internal services, reducing the potential impact of a successful SSRF attack.", "Monitor logs and network flows for abnormal outbound requests originating from agentscope to detect and respond to attempted SSRF attacks promptly."], "summary": {"action": "Patch Immediately", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The issue affects all releases of modelscope agentscope up to and including version 1.0.18 as identified by the vendor. Any deployment that has not been upgraded beyond this version is vulnerable.", "description_and_impact": "The vulnerability in modelscope agentscope arises from a flaw in the _process_audio_block function that permits an attacker to manipulate a URL parameter. This creates a server\u2011side request forgery (SSRF) scenario in which the server, acting as a proxy, can be forced to send HTTP requests to arbitrary internal or external destinations. The effect is that a remote attacker could exfiltrate sensitive data, access network\u2011restricted services, or launch further attacks from the compromised host. According to the provided score, the CVSS rating reflects a moderately high risk.", "risk_and_exploitability": "The flaw can be exploited remotely, and a public proof\u2011of\u2011concept has already appeared online, indicating that attackers can effectively leverage the weakness. While the EPSS score is not available, the existence of a public exploit suggests that the likelihood of real\u2011world attacks is non\u2011negligible. The vulnerability is not listed in CISA\u2019s KEV catalog, but its nature and available exploit code make it a threat that should be addressed without delay."}}}}, "created": "2026-04-20T06:30:45.090375+00:00", "updated": "2026-04-20T06:30:45.306985+00:00", "vendors": ["modelscope", "modelscope$PRODUCT$agentscope"]}