CVE ID: CVE-2026-0762 CVSS Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Vendor: GPT Academic Affected Product: GPT Academic Vulnerability Details: - This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability, but attack vectors may vary depending on the implementation. - The specific flaw exists within the stream_daas function, resulting from the lack of proper validation of user-supplied data, leading to deserialization of untrusted data. An attacker can leverage this to execute code in the context of root. Additional Details: - 08/27/25 - ZDI submitted the report to the vendor - 09/24/25 - ZDI asked for updates - 10/22/25 - ZDI asked for updates - 12/10/25 - ZDI notified the vendor of the intention to publish the case as a 0-day advisory Mitigation: The only salient mitigation strategy is to restrict interaction with the product. Disclosure Timeline: - 2025-08-27 - Vulnerability reported to vendor - 2026-01-09 - Coordinated public release of advisory - 2026-01-09 - Advisory Updated Credit: Peter Girnus (@gothburz) and Brandon Niemczyk of Trend Zero Day Initiative