{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35002", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-31T20:40:15.617Z", "datePublished": "2026-04-02T14:34:14.538Z", "dateUpdated": "2026-04-02T15:23:20.841Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-02T14:44:37.191Z"}, "title": "Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Agno", "product": "Agno", "repo": "https://github.com/agno-agi/agno", "versions": [{"status": "affected", "version": "0", "lessThan": "2.3.24", "versionType": "semver"}, {"status": "affected", "version": "cbf675521d4d2281925a051784a3b94172e56416", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution.<br>"}]}], "references": [{"url": "https://github.com/agno-agi/agno/releases/tag/v2.3.24", "tags": ["release-notes"]}, {"url": "https://github.com/agno-agi/agno/commit/cbf675521d4d2281925a051784a3b94172e56416", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/agno-field-type-eval-injection-arbitrary-code-execution", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Eran Shimony, Palo Alto Networks", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:23:11.274152Z", "id": "CVE-2026-35002", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:23:20.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35002", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T15:23:11.274152Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:23:13.911Z"}}], "cna": {"title": "Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Eran Shimony, Palo Alto Networks"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/agno-agi/agno", "vendor": "Agno", "product": "Agno", "versions": [{"status": "affected", "version": "0", "lessThan": "2.3.24", "versionType": "semver"}, {"status": "affected", "version": "cbf675521d4d2281925a051784a3b94172e56416", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/agno-agi/agno/releases/tag/v2.3.24", "tags": ["release-notes"]}, {"url": "https://github.com/agno-agi/agno/commit/cbf675521d4d2281925a051784a3b94172e56416", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/agno-field-type-eval-injection-arbitrary-code-execution", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution.", "supportingMedia": [{"type": "text/html", "value": "Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-02T14:44:37.191Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35002", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:23:20.841Z", "dateReserved": "2026-03-31T20:40:15.617Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-02T14:34:14.538Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:agno:agno:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF47D152-EC8A-47F4-BEDA-FE49DD1F04EE", "versionEndExcluding": "2.3.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution."}], "id": "CVE-2026-35002", "lastModified": "2026-04-16T17:41:17.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:52.063", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/agno-agi/agno/commit/cbf675521d4d2281925a051784a3b94172e56416"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/agno-agi/agno/releases/tag/v2.3.24"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/agno-field-type-eval-injection-arbitrary-code-execution"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-95"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.24)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "cbf675521d4d2281925a051784a3b94172e56416"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "Agno", "source": "cna", "vendor": "Agno"}, "product": "agno", "vendor": "agno-agi"}], "analysis": {"en": {"generated_at": "2026-04-02T15:21:22.957146+00:00", "value": {"mitigation_remediation": ["Upgrade Agno to version 2.3.24 or later to patch the eval injection flaw.", "Verify that the latest release has been successfully applied by checking the release notes or the package signature.", "If an immediate upgrade is not possible, limit external access to the FunctionCall API or isolate the instance behind a firewall.", "Regularly review Agno security advisories to stay informed of new patches or updates."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of Agno earlier than version 2.3.24 are susceptible. Any instance that processes user\u2011supplied FunctionCall objects exposed via APIs or web services can be targeted.", "description_and_impact": "An issue in Agno\u2019s model execution component allows attackers to execute any Python code by changing the field_type parameter that is passed to eval(). The vulnerability is a code\u2011injection flaw (CWE-95) that can be triggered through a FunctionCall, giving the attacker full control over the Agno process. This leads to total compromise of confidentiality, integrity, and availability of the affected instance.", "risk_and_exploitability": "The CVSS score of 9.3 marks this issue as critical, and while an EPSS score is not provided, the severity indicates a high likelihood of exploitation. The flaw is not listed in CISA\u2019s KEV catalog, but an attacker can remotely inject malicious field_type content and have it executed with the same privileges as the Agno process."}}}}, "created": "2026-04-02T20:12:18.233705+00:00", "updated": "2026-04-02T20:20:58.889197+00:00", "vendors": ["agno-agi", "agno-agi$PRODUCT$agno"]}