Skip to main content

strix CVE-2026-15519

| EUVDEUVD-2026-43262 LOW
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-07-13 VulDB GHSA-9x9x-v3ff-pj74
1.3
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.0 MEDIUM

Network-reachable handler but requires high complexity and user interaction to trigger; all impacts are low with no scope change, mapping directly from the 4.0 vector.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 13, 2026 - 02:22 NVD
2.3 (LOW) 1.3 (LOW)
CVSS changed
Jul 13, 2026 - 02:22 NVD
2.3 (LOW) 1.3 (LOW)
Analysis Generated
Jul 13, 2026 - 01:58 vuln.today

DescriptionCVE.org

A vulnerability was found in usestrix strix up to 1.0.2. This affects an unknown function of the file system_prompt.jinja of the component PyPI Handler. Performing a manipulation results in inclusion of functionality from untrusted control sphere. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Inclusion of functionality from an untrusted control sphere in usestrix strix (up to v1.0.2) allows remote attackers to manipulate the system_prompt.jinja template within the PyPI Handler component, achieving limited confidentiality, integrity, and availability impact. The CVSS 4.0 score of 2.3 reflects high attack complexity and required passive user interaction, placing real-world exploitation difficulty considerably higher than the network-facing attack vector alone implies. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Influence PyPI Handler input data
Delivery
Craft malicious Jinja2 include payload
Exploit
Wait for user-triggered handler invocation
Execution
Cause system_prompt.jinja to load untrusted external template
Impact
Achieve limited data disclosure or integrity modification

Vulnerability AssessmentAI

Exploitation The target system must have strix v1.0.2 or earlier installed with the PyPI Handler component active and in use. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.3 (vector: AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) classifies this as a very low severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can influence the input processed by the strix PyPI Handler - for example via a crafted PyPI package name or metadata - supplies a payload that causes system_prompt.jinja to include a Jinja2 template resource from an attacker-controlled location. When a user triggers the PyPI Handler workflow (satisfying the UI:P requirement), the malicious template is rendered, exposing limited application data or allowing minor unauthorised modification. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor did not respond to coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy