Python
CVE-2026-25640
HIGH
GHSA-wjp5-868j-wqv7
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on pydantic-ai (1 direct, 0 indirect)
- 4 pypi packages depend on pydantic-ai-slim (3 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.34.0 and other introduced versions.
DescriptionGitHub Advisory
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
AnalysisAI
Pydantic AI versions 1.34.0 through 1.50.x contain a path traversal vulnerability in the web UI that allows unauthenticated attackers to inject arbitrary JavaScript by manipulating the CDN version parameter in a malicious URL. When a victim visits the crafted link, attacker-controlled code executes in their browser, enabling theft of chat history and other sensitive client-side data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Pydantic AI web UI versions 1.34.0 to before 1.51.0 with unvalidated CDN URL construction via version query parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.1 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker could exploit this vulnerability to serve arbitrary JavaScript in the context of the application by crafting a malic. |
| Remediation | Fixed in version 1.51.0.. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all instances of Pydantic AI running versions 1.34.0-1.50.x in your environment and document exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host pr
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today