What is the CVSS score of CVE-2026-25592?

CVE-2026-25592 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2026-25592?

A critical path traversal vulnerability (CVE-2026-25592, CVSS 9.9) affects AI agent deployment platforms up to version 1.71.0, enabling attackers to access unauthorized files and potentially…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25592?

Yes, a public proof-of-concept exploit is available for CVE-2026-25592. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25592?

Within 24 hours: Inventory all systems running affected versions up to 1.71.0 and isolate them from production environments if possible. Within 7 days: Implement network-level compensating controls (WAF rules blocking path traversal patterns, input validation enforcement) and disable multi-agent deployment features if operationally feasible. Within 30 days: Establish continuous monitoring for suspicious file access patterns and develop a patch deployment timeline as soon as vendor releases fixes.

Python CVE-2026-25592

CRITICAL

Path Traversal (CWE-22)

2026-02-06 security-advisories@github.com

GHSA-2ww3-72rp-wpp4

Microsoft Linux Python .NET AI / ML

9.9

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 21:16 nvd

CRITICAL 9.9

DescriptionGitHub Advisory

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed.

AnalysisAI

Microsoft Semantic Kernel SDK has a CVSS 9.9 path traversal vulnerability enabling AI agents to access arbitrary files outside their intended scope.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to application using Semantic Kernel

Delivery

Invoke SessionsPythonPlugin DownloadFileAsync

Exploit

Supply path traversal payload in localFilePath

Execution

Write arbitrary file outside intended directory

Impact

Execute code or compromise system

Access

Authenticate to application using Semantic Kernel

Delivery

Invoke SessionsPythonPlugin DownloadFileAsync

Exploit

Supply path traversal payload in localFilePath

Execution

Write arbitrary file outside intended directory

Impact

Execute code or compromise system

Vulnerability AssessmentAI

Exploitation	Semantic Kernel .NET SDK versions prior to 1.71.0 with SessionsPythonPlugin enabled; authenticated user access required; application must call DownloadFileAsync or UploadFileAsync without validating localFilePath parameter against directory traversal attacks. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.9 — Semantic Kernel is widely used for enterprise AI applications. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A prompt injection attack causes a Semantic Kernel-based AI agent to use the path traversal to read sensitive files like .env, database credentials, or SSH keys from the host system.
Remediation	Update Semantic Kernel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running affected versions up to 1.71.0 and isolate them from production environments if possible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-11393 HIGH This Week

8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-25592 vulnerability details – vuln.today

Back

Python CVE-2026-25592

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code