CVE-2026-0762
Deserialization RCE in GPT Academic stream_daas Function
Publication date: 2026-01-23
Last updated on: 2026-02-18
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| binary-husky | gpt_academic | 3.91 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a remote code execution flaw in the GPT Academic product, specifically in the stream_daas function. It occurs because the function does not properly validate user-supplied data, which leads to deserialization of untrusted data. An attacker can exploit this by interacting with a malicious DAAS server, allowing them to execute arbitrary code with root privileges on the affected system. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a remote attacker to execute arbitrary code with root privileges on the affected system. This can lead to complete compromise of the system, including unauthorized access, data theft, data modification, or disruption of services. [1]