CVE-2026-6587 | vibrantlabsai RAGAS up to 0.4.3 Collections util.py _try_process_local_file/_try_process_url retrieved_contexts server-side request forgery

A vulnerability has been found in vibrantlabsai RAGAS up to 0.4.3 and classified as critical. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery.

This vulnerability is identified as CVE-2026-6587. The attack can be initiated remotely. Additionally, an exploit exists.

The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More