Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in BrowserAutomation::PlaywrightService. This issue has been patched in version 1.4.1.
AnalysisAI
Remote code execution in ai-scanner versions 1.0.0 through 1.4.0 allows authenticated attackers to inject and execute arbitrary JavaScript code via the BrowserAutomation::PlaywrightService component. The vulnerability has a Critical CVSS score of 9.9 with scope change, enabling cross-boundary compromise of confidentiality, integrity, and availability. Vendor-released patch available in version 1.4.1 as of April 13, 2026, with GitHub Security Advisory GHSA-r27j-xxgx-f5vr confirming the fix.
Technical ContextAI
The vulnerability resides in ai-scanner, an AI model safety scanning tool built on NVIDIA garak framework. The flaw is a CWE-94 code injection weakness in the BrowserAutomation::PlaywrightService module, which likely handles browser automation testing via Microsoft's Playwright framework. The service appears to improperly sanitize or validate JavaScript input before execution in browser contexts, allowing attackers to break out of intended execution boundaries. The CVSS scope change (S:C) indicates the vulnerable component can affect resources beyond its security scope, suggesting the Playwright service operates with elevated privileges or can access adjacent trust domains within the AI scanning infrastructure.
RemediationAI
Upgrade immediately to ai-scanner version 1.4.1 released April 13, 2026, which applies security hardening to the BrowserAutomation::PlaywrightService component per GitHub issue #16. Download from https://github.com/0din-ai/ai-scanner/releases/tag/v1.4.1 and verify release integrity before deployment. If immediate patching is not feasible, implement compensating controls: restrict network access to the ai-scanner service to trusted IP ranges only via firewall rules; enforce strong authentication with MFA for all service accounts; disable or restrict access to browser automation features if not required for current scanning operations (trade-off: reduced testing coverage for browser-based AI model interfaces); deploy the service in an isolated network segment with egress filtering to limit post-exploitation lateral movement; enable comprehensive audit logging for all BrowserAutomation service invocations to detect injection attempts. Review access logs for versions 1.0.0-1.4.0 for suspicious JavaScript patterns in automation parameters as potential IOCs.
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de
The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28599