Is there a public PoC exploit available for CVE-2026-5532?

Yes, a public proof-of-concept exploit is available for CVE-2026-5532. Prioritise patching immediately. EPSS: 0.5%.

Scrapegraph Ai CVE-2026-5532

Q: What is the CVSS score of CVE-2026-5532?

CVE-2026-5532 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.5%.

EUVD-2026-19014 LOW

OS Command Injection (CWE-78)

2026-04-05 VulDB

Command Injection Scrapegraph Ai

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 05, 2026 - 01:45 euvd

EUVD-2026-19014

Analysis Generated

Apr 05, 2026 - 01:45 vuln.today

CVE Published

Apr 05, 2026 - 01:15 nvd

MEDIUM 5.3

DescriptionCVE.org

A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function create_sandbox_and_execute of the file scrapegraphai/nodes/generate_code_node.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote code execution in ScrapeGraphAI scrapegraph-ai up to version 1.74.0 allows unauthenticated remote attackers to inject arbitrary operating system commands via the create_sandbox_and_execute function in GenerateCodeNode Component, with publicly available exploit code and vendor non-response confirming active real-world risk.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents elevated real-world risk despite the moderate CVSS score of 6.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious input to a web application or script that uses ScrapeGraphAI for scraping, embedding OS commands within parameters passed to the GenerateCodeNode Component. When a user or automated process triggers the scraping job with the malicious input, the create_sandbox_and_execute function processes the input without proper sanitization and executes the injected OS commands with the privileges of the application process, allowing the attacker to read files, modify data, or establish reverse shells. …
Remediation	Upgrade ScrapeGraphAI scrapegraph-ai to a version released after 1.74.0 that addresses the os command injection in the GenerateCodeNode Component's create_sandbox_and_execute function. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5532 vulnerability details – vuln.today

Back