CVE-2026-6604 | modelscope agentscope up to 1.0.18 Cloud Metadata Endpoint _openai_tools.py _parse_url/prepare_image/openai_audio_to_text image_url/audio_file_url server-side request forgery

A vulnerability was found in modelscope agentscope up to 1.0.18. It has been declared as critical. Affected by this issue is the function _parse_url/prepare_image/openai_audio_to_text of the file src/agentscope/tool/_multi_modality/_openai_tools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument image_url/audio_file_url leads to server-side request forgery.

This vulnerability is listed as CVE-2026-6604. The attack may be performed from remote. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-6604 | modelscope agentscope up to 1.0.18 Cloud Metadata Endpoint _openai_tools.py _parse_url/prepare_image/openai_audio_to_text image_url/audio_file_url server-side request forgery

Post correlati

CVE-2025-22409 | Google Android 15 rfc_ts_frames.cc rfc_send_buf_uih use after free

CVE-2024-30250 | KindSpells Astro-Shield data authenticity

CVE-2023-42232 | Pat Infinite Solutions HelpdeskAdvanced up to 11.0.33 Navigator/Index path traversal

CVE-2024-50197 | Linux Kernel up to 6.11.4 pinctrl device_for_each_child_node reference count (be3f7b9f995a/16a6d2e685e8)