{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25130", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.540Z", "datePublished": "2026-01-30T20:15:51.772Z", "dateUpdated": "2026-02-02T18:01:06.518Z"}, "containers": {"cna": {"title": "Cybersecurity AI vulnerable to command Injection through argument injection in find_file Agent tool", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m"}, {"name": "https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde", "tags": ["x_refsource_MISC"], "url": "https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde"}, {"name": "https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60", "tags": ["x_refsource_MISC"], "url": "https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60"}], "affected": [{"vendor": "aliasrobotics", "product": "cai", "versions": [{"version": "<= 0.5.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T20:15:51.772Z"}, "descriptions": [{"lang": "en", "value": "Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a \"safe\" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix."}], "source": {"advisory": "GHSA-jfpc-wj3m-qw2m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T18:00:55.987075Z", "id": "CVE-2026-25130", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T18:01:06.518Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25130", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-02T18:00:55.987075Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T18:01:01.143Z"}}], "cna": {"title": "Cybersecurity AI vulnerable to command Injection through argument injection in find_file Agent tool", "source": {"advisory": "GHSA-jfpc-wj3m-qw2m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aliasrobotics", "product": "cai", "versions": [{"status": "affected", "version": "<= 0.5.10"}]}], "references": [{"url": "https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m", "name": "https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde", "name": "https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60", "name": "https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a \"safe\" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T20:15:51.772Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25130", "state": "PUBLISHED", "dateUpdated": "2026-02-02T18:01:06.518Z", "dateReserved": "2026-01-29T14:03:42.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-30T20:15:51.772Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a \"safe\" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix."}, {"lang": "es", "value": "Ciberseguridad AI (CAI) es un framework para la seguridad de la IA. En versiones hasta la 0.5.10 inclusive, el framework CAI (Ciberseguridad AI) contiene m\u00faltiples vulnerabilidades de inyecci\u00f3n de argumentos en sus herramientas de funci\u00f3n. La entrada controlada por el usuario se pasa directamente a comandos de shell a trav\u00e9s de `subprocess.Popen()` con `shell=True`, permitiendo a los atacantes ejecutar comandos arbitrarios en el sistema anfitri\u00f3n. La herramienta `find_file()` se ejecuta sin requerir aprobaci\u00f3n del usuario porque find se considera un comando 'seguro' preaprobado. Esto significa que un atacante puede lograr Ejecuci\u00f3n Remota de C\u00f3digo (RCE) inyectando argumentos maliciosos (como -exec) en el par\u00e1metro args, eludiendo completamente cualquier mecanismo de seguridad de intervenci\u00f3n humana. El commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contiene una soluci\u00f3n."}], "id": "CVE-2026-25130", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-30T21:15:58.443", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60"}, {"source": "security-advisories@github.com", "url": "https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde"}, {"source": "security-advisories@github.com", "url": "https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:03:10.411245+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit e22a1220f764e2d7cf9da6d6144926f53ca01cde or upgrade to a CAI release that incorporates this fix.", "If an immediate upgrade is not feasible, disable the find_file tool or limit its execution to trusted, audited users to eliminate the attack surface.", "Audit the framework for any additional subprocess.Popen invocations with shell=True and replace them with safe, argument-array usage or enforce strict input sanitization."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the aliasrobotics Cybersecurity AI (CAI) framework, versions up to and including 0.5.10. Users running these releases should verify the current commit hash against the patched revision highlighted in the advisory.", "description_and_impact": "The CAI framework allows untrusted input to be passed unchanged to a shell command through subprocess.Popen with shell=True, enabling an attacker to inject arbitrary arguments such as \"-exec\" into the find_file tool. This results in Remote Code Execution on the host system, bypassing any human-in-the-loop safety mechanisms, and can compromise confidentiality, integrity, and availability of the platform. The weakness is a classic command injection scenario (CWE-78).", "risk_and_exploitability": "With a CVSS score of 9.7 and an EPSS of less than 1%, the exploit potential is high but relatively uncommon. The issue is not listed in the CISA KEV catalog. The likely attack vector involves supplying malicious arguments to the find_file tool, either through local user input if the tool is used directly or via a remote actor who can influence the input passed to CAI. No obvious prerequisites beyond the ability to control the argument list are required."}}}}, "created": "2026-02-02T09:27:04.524790+00:00", "updated": "2026-04-18T01:15:05.979781+00:00", "vendors": ["aliasrobotics", "aliasrobotics$PRODUCT$cai"]}