Skip to main content

Agent Zero CVE-2026-47119

| EUVDEUVD-2026-32524 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 disclosure@vulncheck.com GHSA-9pw8-7895-6wxc
5.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 21:16 vuln.today
Analysis Generated
May 27, 2026 - 21:16 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image_get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers. Attackers can place a crafted SVG file containing script tags in any path readable by the agent-zero process and lure an authenticated user to the image_get endpoint, causing the browser to execute the malicious script, steal the csrf_token cookie, and perform unauthorized API calls on behalf of the victim.

AnalysisAI

Stored cross-site scripting in Agent Zero before version 1.15 enables arbitrary JavaScript execution in the application origin by exploiting the image_get API endpoint's failure to set Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers when serving SVG files. An unauthenticated attacker (CVSS PR:N) who can write a crafted SVG to any filesystem path readable by the agent-zero process can then socially engineer an authenticated user into visiting the endpoint, causing the browser to execute embedded scripts, exfiltrate the csrf_token cookie, and issue unauthorized API calls on the victim's behalf. No public exploit has been identified at time of analysis, and SSVC classifies exploitation as none with automatable set to no, reflecting the mandatory user-interaction prerequisite.

Technical ContextAI

The vulnerability resides in api/image_get.py within the Agent Zero AI agent framework (all versions before 1.15). Root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the omission of security response headers when serving SVG and SVGZ files. SVG is an XML-based format that natively supports inline JavaScript via script tags; when a browser renders SVG served without a script-blocking Content-Security-Policy or X-Content-Type-Options: nosniff header, it executes embedded scripts in the serving origin's security context. The pre-patch code in image_get.py applied no SVG-specific header treatment, serving SVG content identically to inert raster formats. The fix in commit 1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e introduces a hardened CSP string ('sandbox; default-src none; script-src none; img-src self data:; style-src unsafe-inline') applied exclusively to .svg and .svgz responses, adds X-Content-Type-Options: nosniff across all image types, and introduces a path traversal guard (_resolve_allowed_image_path) that constrains file resolution to the application's base directory. No CPE string was provided in the source data; affected product is identified via EUVD-2026-32524 as Agent-Zero versions 0 through less than 1.15.

RemediationAI

Upgrade Agent Zero to version 1.15 or later, which is the vendor-released patch confirmed by EUVD-2026-32524 and implemented in commit 1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e (https://github.com/3clyp50/agent-zero/commit/1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e). The patch adds an SVG-specific Content-Security-Policy ('sandbox; default-src none; script-src none') and X-Content-Type-Options: nosniff to the image_get response, and restricts path resolution to the application base directory. If immediate upgrade is not feasible, block external access to the image_get endpoint at the reverse proxy or WAF layer by denying requests to the equivalent route - note this will break legitimate in-application image rendering. Additionally, audit and restrict write permissions on directories readable by the agent-zero process to prevent attackers from planting SVG payloads; this is a compensating control only and does not eliminate the header-injection root cause. The VulnCheck advisory at https://www.vulncheck.com/advisories/agent-zero-stored-xss-via-image-get-api-endpoint and GitHub issue https://github.com/agent0ai/agent-zero/issues/1609 provide additional vendor context.

Share

CVE-2026-47119 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy