{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6616", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T16:13:42.171Z", "datePublished": "2026-04-20T07:15:12.269Z", "dateUpdated": "2026-04-20T07:15:12.269Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T07:15:12.269Z"}, "title": "TransformerOptimus SuperAGI WebScraperTool webpage_extractor.py extract_with_lxml server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "TransformerOptimus", "product": "SuperAGI", "versions": [{"version": "0.0.1", "status": "affected"}, {"version": "0.0.2", "status": "affected"}, {"version": "0.0.3", "status": "affected"}, {"version": "0.0.4", "status": "affected"}, {"version": "0.0.5", "status": "affected"}, {"version": "0.0.6", "status": "affected"}, {"version": "0.0.7", "status": "affected"}, {"version": "0.0.8", "status": "affected"}, {"version": "0.0.9", "status": "affected"}, {"version": "0.0.10", "status": "affected"}, {"version": "0.0.11", "status": "affected"}, {"version": "0.0.12", "status": "affected"}, {"version": "0.0.13", "status": "affected"}, {"version": "0.0.14", "status": "affected"}], "cpes": ["cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*"], "modules": ["WebScraperTool"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract_with_bs4/extract_with_3k/extract_with_lxml of the file superagi/helper/webpage_extractor.py of the component WebScraperTool. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T18:19:02.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-y (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358251", "name": "VDB-358251 | TransformerOptimus SuperAGI WebScraperTool webpage_extractor.py extract_with_lxml server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358251/cti", "name": "VDB-358251 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791084", "name": "Submit #791084 | SuperAGI up to c3c1982 Server-Side Request Forgery (CWE-918)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/4bb1d709cbb58cee46d839c651d3221f", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract_with_bs4/extract_with_3k/extract_with_lxml of the file superagi/helper/webpage_extractor.py of the component WebScraperTool. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6616", "lastModified": "2026-04-20T08:16:11.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T08:16:11.390", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/4bb1d709cbb58cee46d839c651d3221f"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791084"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358251"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358251/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.1,0.0.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SuperAGI", "source": "cna", "vendor": "TransformerOptimus"}, "product": "superagi", "vendor": "transformeroptimus"}], "analysis": {"en": {"generated_at": "2026-04-20T08:21:59.025752+00:00", "value": {"mitigation_remediation": ["Upgrade the application to a fixed version (e.g., 0.0.15 or later when released).", "If an upgrade is not immediately available, restrict the URLs that can be fetched by the WebScraperTool to a trusted whitelist, or disable the extract_with_lxml function entirely.", "Implement network segmentation or firewall rules to block the Scraper tool from accessing sensitive internal IP ranges, thereby mitigating the impact of any residual SSRF."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "TransformerOptimus SuperAGI versions up to and including 0.0.14 are affected. No other products or versions are listed.", "description_and_impact": "The vulnerability originates in the extract_with_bs4, extract_with_3k, and extract_with_lxml functions of the WebScraperTool component. User\u2011provided URLs are processed without proper validation, allowing an attacker to supply arbitrary URLs that the server will request. This results in a server\u2011side request forgery, which can expose internal resources, leak data, or enable further attacks. The weakness is identified as CWE\u2011918.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity. No EPSS information is available and the issue is not currently listed in the CISA KEV catalog, suggesting that it has not yet been broadly exploited in the wild. However, remote exploitation is possible and an exploit has been publicly disclosed, implying that attackers could target vulnerable deployments from outside the network. Because the vulnerability is an SSRF, the attacker\u2019s ability to impact the system depends on the internal network topology and the services accessed by the SSRF."}}}}, "created": "2026-04-20T08:30:02.621656+00:00", "updated": "2026-04-20T14:58:03.318046+00:00", "vendors": ["transformeroptimus", "transformeroptimus$PRODUCT$superagi"]}