Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
7DescriptionGitHub Advisory
PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via save_generated_slides. This issue has been patched via commit 418491a.
AnalysisAI
Arbitrary file write vulnerability in PPTAgent prior to commit 418491a allows authenticated users with UI interaction to write files outside the intended workspace via path traversal in the save_generated_slides function, potentially overwriting arbitrary files on the system. CVSS 4.6 (low integrity and availability impact); no public exploit code identified at time of analysis.
Technical ContextAI
PPTAgent is an agentic framework for reflective PowerPoint generation that accepts user-provided file paths in the save_generated_slides API endpoint. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as path traversal). The vulnerable code passed user-supplied file paths directly to Path() and save() without validation, allowing attackers to use relative path traversal sequences (e.g., ../../../etc/passwd) to write files outside the workspace root. The patch introduces a resolve_path_in_workspace() utility function that canonicalizes paths using Path.resolve() and validates via is_relative_to(), ensuring written files remain within the active workspace. The fix also hardens eval() calls by restricting globals to an empty builtins dictionary, mitigating secondary code injection risk. CPE: cpe:2.3:a:icip-cas:pptagent:*:*:*:*:*:*:*:* (all versions prior to the patched commit).
RemediationAI
Upgrade to the patched version by pulling commit 418491a or later from the ICIP-CAS PPTAgent GitHub repository (https://github.com/icip-cas/PPTAgent). If immediate patching is not possible, implement input validation to restrict file paths to a whitelist of allowed directories and reject any path containing traversal sequences (../, absolute paths, or symlinks pointing outside the workspace). Additionally, run PPTAgent with minimal filesystem permissions-use OS-level restrictions (chroot, containers, AppArmor, SELinux) to confine the process to a specific workspace directory, so even if path traversal succeeds, written files are physically isolated. Monitor save_generated_slides calls for suspicious path patterns (e.g., containing .. or /etc/). Trade-off: filesystem restrictions may break legitimate workflows if slides must be written to multiple locations; collaborate with stakeholders to define a whitelist.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27017
GHSA-pxhg-7xr2-w7xg