Skip to main content

PPTAgent CVE-2026-42080

| EUVDEUVD-2026-27017 MEDIUM
Path Traversal (CWE-22)
2026-05-04 GitHub_M GHSA-pxhg-7xr2-w7xg
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Patch available
May 04, 2026 - 18:32 EUVD
Source Code Evidence Fetched
May 04, 2026 - 17:50 vuln.today
Analysis Generated
May 04, 2026 - 17:50 vuln.today
Patch released
May 04, 2026 - 17:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 17:15 euvd
EUVD-2026-27017
Analysis Generated
May 04, 2026 - 17:15 vuln.today
CVE Published
May 04, 2026 - 16:58 nvd
MEDIUM 4.6

DescriptionGitHub Advisory

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via save_generated_slides. This issue has been patched via commit 418491a.

AnalysisAI

Arbitrary file write vulnerability in PPTAgent prior to commit 418491a allows authenticated users with UI interaction to write files outside the intended workspace via path traversal in the save_generated_slides function, potentially overwriting arbitrary files on the system. CVSS 4.6 (low integrity and availability impact); no public exploit code identified at time of analysis.

Technical ContextAI

PPTAgent is an agentic framework for reflective PowerPoint generation that accepts user-provided file paths in the save_generated_slides API endpoint. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as path traversal). The vulnerable code passed user-supplied file paths directly to Path() and save() without validation, allowing attackers to use relative path traversal sequences (e.g., ../../../etc/passwd) to write files outside the workspace root. The patch introduces a resolve_path_in_workspace() utility function that canonicalizes paths using Path.resolve() and validates via is_relative_to(), ensuring written files remain within the active workspace. The fix also hardens eval() calls by restricting globals to an empty builtins dictionary, mitigating secondary code injection risk. CPE: cpe:2.3:a:icip-cas:pptagent:*:*:*:*:*:*:*:* (all versions prior to the patched commit).

RemediationAI

Upgrade to the patched version by pulling commit 418491a or later from the ICIP-CAS PPTAgent GitHub repository (https://github.com/icip-cas/PPTAgent). If immediate patching is not possible, implement input validation to restrict file paths to a whitelist of allowed directories and reject any path containing traversal sequences (../, absolute paths, or symlinks pointing outside the workspace). Additionally, run PPTAgent with minimal filesystem permissions-use OS-level restrictions (chroot, containers, AppArmor, SELinux) to confine the process to a specific workspace directory, so even if path traversal succeeds, written files are physically isolated. Monitor save_generated_slides calls for suspicious path patterns (e.g., containing .. or /etc/). Trade-off: filesystem restrictions may break legitimate workflows if slides must be written to multiple locations; collaborate with stakeholders to define a whitelist.

Share

CVE-2026-42080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy