{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6603", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T14:11:50.809Z", "datePublished": "2026-04-20T04:00:20.462Z", "dateUpdated": "2026-04-20T14:59:13.475Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T04:00:20.462Z"}, "title": "modelscope agentscope _python.py execute_shell_command code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "modelscope", "product": "agentscope", "versions": [{"version": "1.0.0", "status": "affected"}, {"version": "1.0.1", "status": "affected"}, {"version": "1.0.2", "status": "affected"}, {"version": "1.0.3", "status": "affected"}, {"version": "1.0.4", "status": "affected"}, {"version": "1.0.5", "status": "affected"}, {"version": "1.0.6", "status": "affected"}, {"version": "1.0.7", "status": "affected"}, {"version": "1.0.8", "status": "affected"}, {"version": "1.0.9", "status": "affected"}, {"version": "1.0.10", "status": "affected"}, {"version": "1.0.11", "status": "affected"}, {"version": "1.0.12", "status": "affected"}, {"version": "1.0.13", "status": "affected"}, {"version": "1.0.14", "status": "affected"}, {"version": "1.0.15", "status": "affected"}, {"version": "1.0.16", "status": "affected"}, {"version": "1.0.17", "status": "affected"}, {"version": "1.0.18", "status": "affected"}], "cpes": ["cpe:2.3:a:modelscope:agentscope:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_python.py. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T16:17:39.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-f (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358238", "name": "VDB-358238 | modelscope agentscope _python.py execute_shell_command code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358238/cti", "name": "VDB-358238 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792223", "name": "Submit #792223 | AgentScope <= 1.0.18 Code Injection (CWE-94)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/c084d69aaeda6729f3988603f2b0ce6e", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:59:01.314563Z", "id": "CVE-2026-6603", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:59:13.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6603", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:59:01.314563Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:59:08.605Z"}}], "cna": {"title": "modelscope agentscope _python.py execute_shell_command code injection", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-f (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:modelscope:agentscope:*:*:*:*:*:*:*:*"], "vendor": "modelscope", "product": "agentscope", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.0.1"}, {"status": "affected", "version": "1.0.2"}, {"status": "affected", "version": "1.0.3"}, {"status": "affected", "version": "1.0.4"}, {"status": "affected", "version": "1.0.5"}, {"status": "affected", "version": "1.0.6"}, {"status": "affected", "version": "1.0.7"}, {"status": "affected", "version": "1.0.8"}, {"status": "affected", "version": "1.0.9"}, {"status": "affected", "version": "1.0.10"}, {"status": "affected", "version": "1.0.11"}, {"status": "affected", "version": "1.0.12"}, {"status": "affected", "version": "1.0.13"}, {"status": "affected", "version": "1.0.14"}, {"status": "affected", "version": "1.0.15"}, {"status": "affected", "version": "1.0.16"}, {"status": "affected", "version": "1.0.17"}, {"status": "affected", "version": "1.0.18"}]}], "timeline": [{"lang": "en", "time": "2026-04-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-19T16:17:39.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358238", "name": "VDB-358238 | modelscope agentscope _python.py execute_shell_command code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358238/cti", "name": "VDB-358238 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792223", "name": "Submit #792223 | AgentScope <= 1.0.18 Code Injection (CWE-94)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/c084d69aaeda6729f3988603f2b0ce6e", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_python.py. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T04:00:20.462Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6603", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:59:13.475Z", "dateReserved": "2026-04-19T14:11:50.809Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T04:00:20.462Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_python.py. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6603", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T05:16:15.353", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/c084d69aaeda6729f3988603f2b0ce6e"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792223"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358238"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358238/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.18"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "agentscope", "source": "cna", "vendor": "modelscope"}, "product": "agentscope", "vendor": "modelscope"}], "analysis": {"en": {"generated_at": "2026-04-20T06:21:53.001738+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch or upgrade to a version newer than 1.0.18 once released.", "Restrict or disable the execute_python_code/execute_shell_command interface to users with explicit authorization, using role\u2011based access controls.", "Validate and sanitize all input passed to execute_shell_command, rejecting or escaping characters that could be used for injection."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is modelscope agentscope up to version 1.0.18. Vendors and product details from the CNA indicate that any deployment of agentscope below version 1.0.19 is vulnerable; the specific versions in the supply chain are not enumerated beyond this upper bound.", "description_and_impact": "A vulnerability exists in the execute_python_code and execute_shell_command functions of modelscope agentscope (source file src/AgentScope/tool/_coding/_python.py) that allows code injection via unsafe handling of user\u2011supplied input. The flaw, identified as CWE\u201174 and CWE\u201194, enables an attacker to inject arbitrary shell commands, effectively leading to remote code execution. The CVSS score of 6.9 reflects the severity of this remote exploitation risk. The vulnerability is not listed in the CISA KEV catalog and no EPSS value is available, yet it has been publicly disclosed, making it available to potential attackers.", "risk_and_exploitability": "The vulnerability can be exploited remotely through any interface that triggers the execute_shell_command function. No authentication or preprocessing is performed before command execution, so an attacker with network access can inject command payloads. Because the code runs with the privileges of the agent process, successful exploitation can compromise the entire host. The absence of an EPSS score leaves the actual exploitation probability uncertain, but the public disclosure and remote nature suggest a non\u2011negligible risk."}}}}, "created": "2026-04-20T06:30:45.091899+00:00", "updated": "2026-04-20T06:30:45.308629+00:00", "vendors": ["modelscope", "modelscope$PRODUCT$agentscope"]}