What is the CVSS score of EUVD-2025-18486?

EUVD-2025-18486 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by EUVD-2025-18486?

Organizations using themanojdesai python-a2a should be aware of moderate risk from CVE-2025-6167, a path traversal vulnerability rated CVSS 5.5. This could allow unauthorized file access.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-18486?

Yes, a public proof-of-concept exploit is available for EUVD-2025-18486. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-18486?

Within 30 days: Identify affected systems running themanojdesai python-a2a and apply vendor patches as part of regular patch cycle. Review file handling controls.

Python EUVD-2025-18486

| CVE-2025-6167 MEDIUM

Path Traversal (CWE-22)

2025-06-17 cna@vuldb.com

GHSA-rp38-pj7h-r8q2

Python Path Traversal Python A2a

5.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18486

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

PoC Detected

Jul 02, 2025 - 19:36 vuln.today

Public exploit code

CVE Published

Jun 17, 2025 - 07:15 nvd

MEDIUM 5.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 pypi packages depend on python-a2a (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.5.6.

DescriptionCVE.org

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommended to upgrade the affected component.

Analysis

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL Act Now

9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

EUVD-2025-18486 vulnerability details – vuln.today

Back