When prompts become shells: RCE vulnerabilities in AI agent frameworks

In this article 1. A representative case study: Semantic Kernel 2. CVE-2026-26030: In-Memory Vector Store 3. CVE-2026-25592: Arbitrary file write through SessionsPythonPlugin 4. The vulnerability 5. Attack chain overview 6. Defending the agentic edge 7. Not bugs, but developed by design 8. CTF...

When prompts become shells: RCE vulnerabilities in AI agent frameworks

In this article 1. A representative case study: Semantic Kernel 2. CVE-2026-26030: In-Memory Vector Store 3. CVE-2026-25592: Arbitrary file write through SessionsPythonPlugin 4. The vulnerability 5. Attack chain overview 6. Defending the agentic edge 7. Not bugs, but developed by design 8. CTF...

SUSE CVE-2026-28231

pillowheif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of pillowheif.c allows an attacker to bypass bounds checks by providing large image dimensions, resulting in a heap out-of-bounds rea...

Arbitrary File Write

Semantic Kernel is vulnerable to Arbitrary File Write. The vulnerability is due to insufficient validation of file paths in the SessionsPythonPlugin, where attacker-controlled localFilePath arguments passed to DownloadFileAsync or UploadFileAsync can write files to arbitrary locations on the host...

CVE-2026-25592

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in...

CVE-2026-25592

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in...

EUVD-2026-5582

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in...

CVE-2026-25592

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in...

CVE-2026-25592

The CVE-2026-25592 entry affects Microsoft's Semantic Kernel .NET SDK, specifically the SessionsPythonPlugin, with an Arbitrary File Write vulnerability present prior to version 1.70.0. The issue allows writing files to arbitrary locations via the plugin, and the fixed version is Microsoft.Semant...

GHSA-2WW3-72RP-WPP4 Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK

Impact What kind of vulnerability is it? Who is impacted? An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and...

Microsoft Semantic Kernel 路径遍历漏洞

Microsoft Semantic Kernel is a large-scale model orchestration framework developed by Microsoft Corporation. Versions of Microsoft Semantic Kernel prior to 1.70.0 contained a path traversal vulnerability, which was caused by an arbitrary file writing vulnerability in the SessionsPythonPlugin...

PT-2026-6792

Name of the Vulnerable Software and Affected Versions Microsoft Semantic Kernel .NET SDK versions prior to 1.71.0 Agent Framework version 1.0 Description An arbitrary file write issue exists within the SessionsPythonPlugin of the .NET SDK. This flaw can be chained with path traversal and insecure...

PT-2026-6847

Impact What kind of vulnerability is it? Who is impacted? An Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. Developers who have built applications which include Microsoft's Semantic Kernel .NET SDK and...

EUVD-2008-5954

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2017-7178

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves 1 hosting a crafted plugin that executes an arbitrary program...

CVE-2021-42561

An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters e.g., backticks "" or dollar parenthesis "$" in order to escape the current command and execute...

SUSE CVE-2005-2966

The Python SVG import plugin diasvgimport.py for DIA 0.94 and earlier allows user-assisted attackers to execute arbitrary commands via a crafted SVG file...

SUSE CVE-2008-5984

Untrusted search path vulnerability in the Python plugin in Dia 0.96.1, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySysSetArgv function CVE-2008-5983...

@adobe/git-server (>=0.9.17 <=1.0.0), @adobe/helix-cli (>=0.3.0-SNAPSHOT.293 <=5.7.6) +34 more potentially affected by CVE-2022-22984 via snyk-python-plugin (>=1.0.0 <=1.24.0)

snyk-python-plugin NPM version =1.0.0, =0.9.17, =0.3.0-SNAPSHOT.293, =2.6.0, =1.0.5-SNAPSHOT.105, =0.0.4, =8.0.36, =5.0.22, =3.10.42, =0.0.70, =0.5.8, =3.2.4, =0.0.2, =0.0.11, =1.0.1 - @ericblade/quagga2-redux-middleware =1.0.1 and more Source cves: CVE-2022-22984 Source advisory:...

GHSA-4X6G-3CMX-W76R Snyk plugins vulnerable to Command Injection

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin...