CVE-2026-4500
Received Received - Intake
Injection Vulnerability in bagofwords1 generate_df Allows Remote Exploit

Publication date: 2026-03-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297. This impacts the function generate_df of the file backend/app/ai/code_execution/code_execution.py. Such manipulation leads to injection. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 0.0.298 will fix this issue. The name of the patch is 47b20bcda31264635faff7f6b1c8095abe1861c6. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4500
EUVD
EUVD-2026-13802
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bagofwords1 bagofwords to 0.0.297 (inc)
bagofwords1 bagofwords 0.0.298
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-4500 is a critical Remote Code Execution (RCE) vulnerability in the bagofwords application (versions up to 0.0.297). The vulnerability arises because the application dynamically generates and executes Python code via a large language model (LLM) in response to user queries, specifically in the function named generate_df.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by performing a prompt injection attack, manipulating the input to the LLM to insert malicious Python commands into the generated code. For example, the attacker can force the LLM to insert commands like __import__('os').system('touch /tmp/success'), which when executed on the server, run arbitrary system commands."}, {'type': 'paragraph', 'content': 'The root cause is the lack of input sanitization, insufficient sandboxing, and absence of static analysis on the generated code before execution, allowing attackers to bypass restrictions and gain unauthorized control over the server.'}] [3, 4]


How can this vulnerability impact me? :

This vulnerability allows attackers to execute arbitrary code on the server hosting the bagofwords application. This can lead to severe impacts including:

  • Complete server takeover by the attacker.
  • Theft or unauthorized access to sensitive data.
  • Denial of service or disruption of the application.

Because the exploit is publicly available and can be launched remotely without user interaction, the risk of exploitation is significant if the application is not upgraded.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

The CVE-2026-4500 vulnerability involves remote code execution through injection in dynamically generated Python code within the bagofwords application. Detection involves monitoring for suspicious activity related to the execution of the vulnerable function `generate_df` and the presence of injected malicious commands.

One practical detection method is to look for evidence of arbitrary command execution on the server, such as unexpected file creation (e.g., the file `/tmp/success` as demonstrated in the proof of concept).

Since the vulnerability arises from prompt injection leading to execution of malicious Python code, monitoring logs for unusual Python code execution or unexpected system commands is recommended.

Suggested commands to detect exploitation attempts include:

  • Check for the presence of the file `/tmp/success` which is used in the proof of concept to confirm code execution: `ls -l /tmp/success`
  • Monitor running processes for suspicious commands or Python executions: `ps aux | grep python`
  • Search application logs for suspicious input or code snippets containing `__import__`, `os.system`, or other system command invocations.
  • Use static analysis or AST-based tools to analyze generated Python code before execution to detect forbidden imports or function calls, as implemented in the patched version.

What immediate steps should I take to mitigate this vulnerability?

The primary and recommended immediate mitigation step is to upgrade the bagofwords application to version 0.0.298 or later, which includes a security patch that introduces deterministic AST-based validation to prevent unsafe code execution.

Additional mitigation steps include:

  • Apply the patch identified by commit `47b20bcda31264635faff7f6b1c8095abe1861c6` which enforces strict AST-based Python code validation and SQL query inspection to block dangerous operations.
  • Implement static analysis or AST parsing on dynamically generated Python code to detect and block forbidden imports (e.g., `os`, `sys`, `subprocess`) and dangerous function calls before execution.
  • Refine prompt engineering to explicitly forbid generation of system-level commands, although this is a secondary defense as prompt injection can bypass it.
  • Run the application worker process with least privilege to limit potential damage if exploitation occurs.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart