CVE-2026-6587

MEDIUM 6.3

vibrantlabsai RAGAS Collections util.py _try_process_url server-side request forgery

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-918
Vendor	vibrantlabsai
Product	ragas
Published	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for vibrantlabsai ragas

Be the first to know when new medium vulnerabilities affecting vibrantlabsai ragas are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

vibrantlabsai / RAGAS

0.4.0 0.4.1 0.4.2 0.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/358222 vuldb.com: https://vuldb.com/vuln/358222/cti vuldb.com: https://vuldb.com/submit/791088 adithyanak.com: https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability

Credits

🔍 Eric-y (VulDB User) VulDB CNA Team