agentic-layer-testbench (>=0.9.1 <=0.9.2), agentic-rag-pdf (>=0.1.2 <=0.1.5) +55 more potentially affected by CVE-2025-45691 +1 more via ragas (>=0.2.6 <=0.4.3)

ragas PYPI version =0.2.6, =0.9.1, =0.1.2, =0.1.0a1, =1.0.8, =0.1.6, =11.1.12, =0.20.24, =0.1.1, =1.0.0, =1.1.0, =0.1.0, =0.1.0, =0.1.0b1, =2.0.0 and more Source cves: CVE-2025-45691, CVE-2026-6587 Source advisory: SNYK:PYTHON-RAGAS-16134617...

agentic-layer-testbench (>=0.9.1 <=0.9.2), agentic-rag-pdf (>=0.1.2 <=0.1.5) +55 more potentially affected by CVE-2026-6587 via ragas (>=0.2.6 <=0.4.3)

ragas PYPI version =0.2.6, =0.9.1, =0.1.2, =0.1.0a1, =1.0.8, =0.1.6, =11.1.12, =0.20.24, =0.1.1, =1.0.0, =1.1.0, =0.1.0, =0.1.0, =0.1.0b1, =2.0.0 and more Source cves: CVE-2026-6587 Source advisory: OSV:GHSA-95WW-475F-PR4F...

CVE-2026-6587

A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function tryprocesslocalfile/tryprocessurl of the file src/ragas/metrics/collections/multimodalfaithfulness/util.py of the component Collections Module. Performing a manipulation of the argument...

CVE-2026-6587

Vibrantlabsai RAGAS (up to 0.4.3) is affected in the Collections Module. The vulnerability lies in the function _try_process_local_file/_try_process_url (src/ragas/metrics/collections/multi_modal_faithfulness/util.py). Manipulating the argument retrieved_contexts can trigger a server-side request...