Search

Find a vulnerability

Search criteria

    12 vulnerabilities by openai

    CVE-2026-14898 (GCVE-0-2026-14898)

    Vulnerability from nvd – Published: 2026-07-06 19:41 – Updated: 2026-07-07 15:35
    VLAI
    Summary
    The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL containing sensitive data. The app automatically fetched that URL when rendering the response, sending the embedded data to an attacker-controlled server without a separate user click. Successful exploitation could exfiltrate secrets and other information accessible in the Codex session, including API keys, source code, and data returned by connected tools. No direct integrity or availability impact was demonstrated, and there is no known exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    OAI
    References
    Impacted products
    Vendor Product Version
    OpenAI Codex desktop app for macOS Affected: 0 , < 26.527.31326 (custom)
    Create a notification for this product.
    Credits
    wuzzi23 (original report) Itay Ravia of Cato Networks (independent report)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14898",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T15:35:10.010319Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T15:35:14.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Codex desktop app for macOS",
              "vendor": "OpenAI",
              "versions": [
                {
                  "lessThan": "26.527.31326",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Codex desktop app on macOS with remote Markdown image rendering enabled. Exploitation requires attacker-controlled or untrusted content to be processed by Codex and induce a response containing a remote image URL with sensitive data embedded in the URL."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "wuzzi23 (original report)"
            },
            {
              "lang": "en",
              "value": "Itay Ravia of Cato Networks (independent report)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL containing sensitive data. The app automatically fetched that URL when rendering the response, sending the embedded data to an attacker-controlled server without a separate user click. Successful exploitation could exfiltrate secrets and other information accessible in the Codex session, including API keys, source code, and data returned by connected tools. No direct integrity or availability impact was demonstrated, and there is no known exploitation in the wild."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:41:36.632Z",
            "orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
            "shortName": "OAI"
          },
          "references": [
            {
              "url": "https://openai.com/codex/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 26.527.31326 or later. The product fix disables loading remote images from Markdown."
            }
          ],
          "workarounds": [
            {
              "lang": "en",
              "value": "If an upgrade is not possible, avoid processing untrusted content and connected-tool data in affected versions."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
        "assignerShortName": "OAI",
        "cveId": "CVE-2026-14898",
        "datePublished": "2026-07-06T19:41:36.632Z",
        "dateReserved": "2026-07-06T19:35:48.882Z",
        "dateUpdated": "2026-07-07T15:35:14.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11326 (GCVE-0-2026-11326)

    Vulnerability from nvd – Published: 2026-06-05 00:12 – Updated: 2026-06-05 18:32
    VLAI
    Summary
    OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    OAI
    References
    Impacted products
    Vendor Product Version
    OpenAI OpenAI Atlas Affected: 0 , < 1.2025.288.15 (custom)
    Create a notification for this product.
    Credits
    s1r1us and sudi of hacktron.ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11326",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T18:32:37.907593Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T18:32:50.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OpenAI Atlas",
              "vendor": "OpenAI",
              "versions": [
                {
                  "lessThan": "1.2025.288.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "s1r1us and sudi of hacktron.ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L/U:Green",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T17:59:00.942Z",
            "orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
            "shortName": "OAI"
          },
          "references": [
            {
              "name": "Pwning OpenAI Atlas Through Exposed Browser Internals",
              "tags": [
                "technical-description"
              ],
              "url": "https://www.hacktron.ai/blog/hacking-openai-atlas-browser"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to OpenAI Atlas 1.2025.288.15 or later."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
        "assignerShortName": "OAI",
        "cveId": "CVE-2026-11326",
        "datePublished": "2026-06-05T00:12:32.077Z",
        "dateReserved": "2026-06-05T00:07:13.696Z",
        "dateUpdated": "2026-06-05T18:32:50.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59532 (GCVE-0-2025-59532)

    Vulnerability from nvd – Published: 2025-09-22 20:26 – Updated: 2025-09-23 20:19
    VLAI
    Title
    Codex has sandbox bypass due to bug in path configuration logic
    Summary
    Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    openai codex Affected: >= 0.2.0, < 0.39.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T20:18:58.151069Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T20:19:23.374Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "codex",
              "vendor": "openai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.2.0, \u003c 0.39.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox\u2019s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-22T20:26:42.712Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw"
            },
            {
              "name": "https://github.com/openai/codex/commit/8595237505a1e0faabc2af3db805b66ce3ae182d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openai/codex/commit/8595237505a1e0faabc2af3db805b66ce3ae182d"
            },
            {
              "name": "https://github.com/openai/codex/releases/tag/rust-v0.39.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openai/codex/releases/tag/rust-v0.39.0"
            }
          ],
          "source": {
            "advisory": "GHSA-w5fx-fh39-j5rw",
            "discovery": "UNKNOWN"
          },
          "title": "Codex has sandbox bypass due to bug in path configuration logic"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-59532",
        "datePublished": "2025-09-22T20:26:42.712Z",
        "dateReserved": "2025-09-17T17:04:20.373Z",
        "dateUpdated": "2025-09-23T20:19:23.374Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54558 (GCVE-0-2025-54558)

    Vulnerability from nvd – Published: 2025-07-25 00:00 – Updated: 2025-07-25 13:23
    VLAI
    Summary
    OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    Impacted products
    Vendor Product Version
    OpenAI Codex CLI Affected: 0 , < 0.9.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54558",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-25T13:23:22.534964Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-25T13:23:27.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Codex CLI",
              "vendor": "OpenAI",
              "versions": [
                {
                  "lessThan": "0.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-25T01:24:52.040Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/openai/codex/pull/1644"
            },
            {
              "url": "https://github.com/openai/codex/compare/rust-v0.8.0...rust-v0.9.0"
            },
            {
              "url": "https://github.com/openai/codex/commit/6cf4b96f9dbbef8a94acc1ff703eb118481514d8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-54558",
        "datePublished": "2025-07-25T00:00:00.000Z",
        "dateReserved": "2025-07-25T00:00:00.000Z",
        "dateUpdated": "2025-07-25T13:23:27.135Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-7021 (GCVE-0-2025-7021)

    Vulnerability from nvd – Published: 2025-07-10 19:09 – Updated: 2025-07-10 20:29
    VLAI
    Title
    OpenAI Operator - API Spoofing through Locking Operator on FullScreen
    Summary
    Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - : User Interface (UI) Misrepresentation of Critical Information
    Assigner
    Impacted products
    Vendor Product Version
    OpenAI Operator Affected: SaaS
    Create a notification for this product.
    Date Public
    2025-06-13 13:16
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7021",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-10T20:24:13.567962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-10T20:29:32.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Operator",
              "vendor": "OpenAI",
              "versions": [
                {
                  "status": "affected",
                  "version": "SaaS"
                }
              ]
            }
          ],
          "datePublic": "2025-06-13T13:16:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.\u003cbr\u003e"
                }
              ],
              "value": "Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451 : User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-10T19:09:40.590Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OpenAI Operator - API Spoofing through Locking Operator on FullScreen",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2025-7021",
        "datePublished": "2025-07-10T19:09:40.590Z",
        "dateReserved": "2025-07-02T12:44:54.941Z",
        "dateUpdated": "2025-07-10T20:29:32.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-43714 (GCVE-0-2025-43714)

    Vulnerability from nvd – Published: 2025-05-19 00:00 – Updated: 2025-05-19 15:50
    VLAI
    Summary
    The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-43714",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:49:22.588296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-77",
                    "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:50:23.181Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T14:44:10.755Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://medium.com/@zer0dac/chatgpt-a-potential-phishing-vector-via-html-injection-bf703c79590a"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-43714",
        "datePublished": "2025-05-19T00:00:00.000Z",
        "dateReserved": "2025-04-17T00:00:00.000Z",
        "dateUpdated": "2025-05-19T15:50:23.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-14898 (GCVE-0-2026-14898)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:41 – Updated: 2026-07-07 15:35
    VLAI
    Summary
    The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL containing sensitive data. The app automatically fetched that URL when rendering the response, sending the embedded data to an attacker-controlled server without a separate user click. Successful exploitation could exfiltrate secrets and other information accessible in the Codex session, including API keys, source code, and data returned by connected tools. No direct integrity or availability impact was demonstrated, and there is no known exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    OAI
    References
    Impacted products
    Vendor Product Version
    OpenAI Codex desktop app for macOS Affected: 0 , < 26.527.31326 (custom)
    Create a notification for this product.
    Credits
    wuzzi23 (original report) Itay Ravia of Cato Networks (independent report)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14898",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T15:35:10.010319Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T15:35:14.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Codex desktop app for macOS",
              "vendor": "OpenAI",
              "versions": [
                {
                  "lessThan": "26.527.31326",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Codex desktop app on macOS with remote Markdown image rendering enabled. Exploitation requires attacker-controlled or untrusted content to be processed by Codex and induce a response containing a remote image URL with sensitive data embedded in the URL."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "wuzzi23 (original report)"
            },
            {
              "lang": "en",
              "value": "Itay Ravia of Cato Networks (independent report)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL containing sensitive data. The app automatically fetched that URL when rendering the response, sending the embedded data to an attacker-controlled server without a separate user click. Successful exploitation could exfiltrate secrets and other information accessible in the Codex session, including API keys, source code, and data returned by connected tools. No direct integrity or availability impact was demonstrated, and there is no known exploitation in the wild."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:41:36.632Z",
            "orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
            "shortName": "OAI"
          },
          "references": [
            {
              "url": "https://openai.com/codex/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 26.527.31326 or later. The product fix disables loading remote images from Markdown."
            }
          ],
          "workarounds": [
            {
              "lang": "en",
              "value": "If an upgrade is not possible, avoid processing untrusted content and connected-tool data in affected versions."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
        "assignerShortName": "OAI",
        "cveId": "CVE-2026-14898",
        "datePublished": "2026-07-06T19:41:36.632Z",
        "dateReserved": "2026-07-06T19:35:48.882Z",
        "dateUpdated": "2026-07-07T15:35:14.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11326 (GCVE-0-2026-11326)

    Vulnerability from cvelistv5 – Published: 2026-06-05 00:12 – Updated: 2026-06-05 18:32
    VLAI
    Summary
    OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    OAI
    References
    Impacted products
    Vendor Product Version
    OpenAI OpenAI Atlas Affected: 0 , < 1.2025.288.15 (custom)
    Create a notification for this product.
    Credits
    s1r1us and sudi of hacktron.ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11326",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T18:32:37.907593Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T18:32:50.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OpenAI Atlas",
              "vendor": "OpenAI",
              "versions": [
                {
                  "lessThan": "1.2025.288.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "s1r1us and sudi of hacktron.ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L/U:Green",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T17:59:00.942Z",
            "orgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
            "shortName": "OAI"
          },
          "references": [
            {
              "name": "Pwning OpenAI Atlas Through Exposed Browser Internals",
              "tags": [
                "technical-description"
              ],
              "url": "https://www.hacktron.ai/blog/hacking-openai-atlas-browser"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to OpenAI Atlas 1.2025.288.15 or later."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8f4f43ab-ba69-4d92-aa1d-d772184d6fb7",
        "assignerShortName": "OAI",
        "cveId": "CVE-2026-11326",
        "datePublished": "2026-06-05T00:12:32.077Z",
        "dateReserved": "2026-06-05T00:07:13.696Z",
        "dateUpdated": "2026-06-05T18:32:50.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59532 (GCVE-0-2025-59532)

    Vulnerability from cvelistv5 – Published: 2025-09-22 20:26 – Updated: 2025-09-23 20:19
    VLAI
    Title
    Codex has sandbox bypass due to bug in path configuration logic
    Summary
    Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    openai codex Affected: >= 0.2.0, < 0.39.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T20:18:58.151069Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T20:19:23.374Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "codex",
              "vendor": "openai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.2.0, \u003c 0.39.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox\u2019s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-22T20:26:42.712Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw"
            },
            {
              "name": "https://github.com/openai/codex/commit/8595237505a1e0faabc2af3db805b66ce3ae182d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openai/codex/commit/8595237505a1e0faabc2af3db805b66ce3ae182d"
            },
            {
              "name": "https://github.com/openai/codex/releases/tag/rust-v0.39.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openai/codex/releases/tag/rust-v0.39.0"
            }
          ],
          "source": {
            "advisory": "GHSA-w5fx-fh39-j5rw",
            "discovery": "UNKNOWN"
          },
          "title": "Codex has sandbox bypass due to bug in path configuration logic"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-59532",
        "datePublished": "2025-09-22T20:26:42.712Z",
        "dateReserved": "2025-09-17T17:04:20.373Z",
        "dateUpdated": "2025-09-23T20:19:23.374Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54558 (GCVE-0-2025-54558)

    Vulnerability from cvelistv5 – Published: 2025-07-25 00:00 – Updated: 2025-07-25 13:23
    VLAI
    Summary
    OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    Impacted products
    Vendor Product Version
    OpenAI Codex CLI Affected: 0 , < 0.9.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54558",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-25T13:23:22.534964Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-25T13:23:27.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Codex CLI",
              "vendor": "OpenAI",
              "versions": [
                {
                  "lessThan": "0.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-25T01:24:52.040Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/openai/codex/pull/1644"
            },
            {
              "url": "https://github.com/openai/codex/compare/rust-v0.8.0...rust-v0.9.0"
            },
            {
              "url": "https://github.com/openai/codex/commit/6cf4b96f9dbbef8a94acc1ff703eb118481514d8"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-54558",
        "datePublished": "2025-07-25T00:00:00.000Z",
        "dateReserved": "2025-07-25T00:00:00.000Z",
        "dateUpdated": "2025-07-25T13:23:27.135Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-7021 (GCVE-0-2025-7021)

    Vulnerability from cvelistv5 – Published: 2025-07-10 19:09 – Updated: 2025-07-10 20:29
    VLAI
    Title
    OpenAI Operator - API Spoofing through Locking Operator on FullScreen
    Summary
    Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - : User Interface (UI) Misrepresentation of Critical Information
    Assigner
    Impacted products
    Vendor Product Version
    OpenAI Operator Affected: SaaS
    Create a notification for this product.
    Date Public
    2025-06-13 13:16
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7021",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-10T20:24:13.567962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-10T20:29:32.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Operator",
              "vendor": "OpenAI",
              "versions": [
                {
                  "status": "affected",
                  "version": "SaaS"
                }
              ]
            }
          ],
          "datePublic": "2025-06-13T13:16:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.\u003cbr\u003e"
                }
              ],
              "value": "Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451 : User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-10T19:09:40.590Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OpenAI Operator - API Spoofing through Locking Operator on FullScreen",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2025-7021",
        "datePublished": "2025-07-10T19:09:40.590Z",
        "dateReserved": "2025-07-02T12:44:54.941Z",
        "dateUpdated": "2025-07-10T20:29:32.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-43714 (GCVE-0-2025-43714)

    Vulnerability from cvelistv5 – Published: 2025-05-19 00:00 – Updated: 2025-05-19 15:50
    VLAI
    Summary
    The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-43714",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:49:22.588296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-77",
                    "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:50:23.181Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T14:44:10.755Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://medium.com/@zer0dac/chatgpt-a-potential-phishing-vector-via-html-injection-bf703c79590a"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-43714",
        "datePublished": "2025-05-19T00:00:00.000Z",
        "dateReserved": "2025-04-17T00:00:00.000Z",
        "dateUpdated": "2025-05-19T15:50:23.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }