Which versions of TransformerOptimus SuperAGI are affected by CVE-2026-6615?

TransformerOptimus SuperAGI versions 0.0.14 and earlier contain a path traversal vulnerability allowing unauthenticated remote attackers to read, write, or delete files on affected systems through…

Is there a public PoC exploit available for CVE-2026-6615?

Yes, a public proof-of-concept exploit is available for CVE-2026-6615. Prioritise patching immediately. EPSS: 0.1%.

TransformerOptimus SuperAGI CVE-2026-6615

Q: What is the CVSS score of CVE-2026-6615?

CVE-2026-6615 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-23801 MEDIUM

Path Traversal (CWE-22)

2026-04-20 VulDB

Path Traversal

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 20, 2026 - 08:22 NVD

HIGH MEDIUM

CVSS changed

Apr 20, 2026 - 08:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 07:56 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 07:45 euvd

EUVD-2026-23801

Analysis Generated

Apr 20, 2026 - 07:45 vuln.today

CVE Published

Apr 20, 2026 - 07:00 nvd

MEDIUM 5.5

DescriptionNVD

A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Upload Handler. This manipulation of the argument Name causes path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in TransformerOptimus SuperAGI versions up to 0.0.14 allows remote unauthenticated attackers to read, write, or delete arbitrary files via manipulated 'Name' parameter in multipart upload requests. Publicly available exploit code exists (GitHub Gist) demonstrating exploitation. …

RemediationAI

Within 24 hours: Identify all systems running TransformerOptimus SuperAGI versions 0.0.14 or earlier and take them offline or restrict network access. Within 7 days: Monitor vendor advisories for patch availability and evaluate upgrading to a patched version when released; contact vendor for timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6615 vulnerability details – vuln.today

Back

TransformerOptimus SuperAGI CVE-2026-6615

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

TransformerOptimus SuperAGI CVE-2026-6615

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code