A Server-Side Request Forgery (SSRF) vulnerability exists in Local Deep Research versions prior to 1.6.10. The flaw stems from a logical inconsistency between URL validation and actual request handling: the `validate_url` function uses Python's `urlparse` to extract and check the host portion for SSRF prevention, but the subsequent `requests.get` call may parse the same URL differently. This parsing diffe [truncated]
## Summary CVE-2026-43979 is a **medium-severity** (CVSS 5.0) vulnerability in Local Deep Research, an AI-powered research assistant. The flaw exists in versions prior to 1.6.0 and allows authenticated attackers to inject arbitrary HTML via unescaped user-controlled values in PDF generation, which can be chained to bypass SSRF defenses. ## Technical Analysis The vulnerability resides in `PDFService._markd [truncated]
