SecuriTricks - CVE-2026-55237

Description

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter (`next`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 0.6.62 patches the issue.

Product(s) Impacted

Vendor	Product	Versions
Autogpt	Autogpt	<0.6.62

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-87

Improper Neutralization of Alternate XSS Syntax

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	autogpt	autogpt	<0.6.62	/	/	/	/	/	/	/

References

https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-j2cp-jg5q-38wj

CVSS Score

8.8 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

View Vector String

Timeline

Published: June 18, 2026, 5:16 p.m.
Last Modified: June 18, 2026, 6:16 p.m.

Status : Deferred

When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.

More info

Source

[email protected]

CVE-2026-55237