Skip to main content

Txtai

1 CVEs product

Monthly

CVE-2026-58449 CRITICAL PATCH Act Now

Remote code execution in txtai through 9.10.0 lets a remote attacker reach the API /reindex endpoint and supply an arbitrary dotted callable (for example subprocess.getoutput) that the server imports and invokes during reindexing, running commands as the server process. The flaw is exploitable only when the API is network-exposed with no TOKEN set (so all endpoints are unauthenticated) and the index is writable - not the default posture. No public exploit has been identified at time of analysis, but the issue carries a high CVSS 4.0 base score of 9.3 and was reported by VulnCheck.

Code Injection RCE Txtai
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in txtai through 9.10.0 lets a remote attacker reach the API /reindex endpoint and supply an arbitrary dotted callable (for example subprocess.getoutput) that the server imports and invokes during reindexing, running commands as the server process. The flaw is exploitable only when the API is network-exposed with no TOKEN set (so all endpoints are unauthenticated) and the index is writable - not the default posture. No public exploit has been identified at time of analysis, but the issue carries a high CVSS 4.0 base score of 9.3 and was reported by VulnCheck.

Code Injection RCE Txtai
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy