### 关键信息 - **CVE ID**: CVE-2026-0764 - **CVSS Score**: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - **Affected Vendors**: GPT Academic - **Affected Products**: GPT Academic - **Vulnerability Details**: - **Description**: This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. - **Specific Issue**: The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. - **Mitigation**: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. - **Disclosure Timeline**: - 2025-08-27: Vulnerability reported to vendor - 2026-01-09: Coordinated public release of advisory - 2026-01-09: Advisory Updated - **Credit**: Peter Girnus (@gothburz) of Trend Zero Day Initiative