CVE-2026-5532
Received Received - Intake
OS Command Injection in ScrapeGraphAI GenerateCodeNode Component

Publication date: 2026-04-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function create_sandbox_and_execute of the file scrapegraphai/nodes/generate_code_node.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5532
EUVD
EUVD-2026-19014
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5532 is a critical Remote Code Execution (RCE) vulnerability in ScrapeGraphAI versions up to 1.74.0. It occurs in the function create_sandbox_and_execute of the GenerateCodeNode component, where Python code generated by a Large Language Model (LLM) is executed unsafely using Python's exec() function.

The vulnerability arises because the sandboxing is ineffective: the executed code has full access to Python's built-in functions, including dangerous ones like __import__(), open(), eval(), and exec(). An attacker can embed malicious prompt injection payloads inside HTML content on a webpage. When ScrapeGraphAI scrapes this attacker-controlled webpage, the malicious HTML influences the LLM to generate harmful Python code, which is then executed with full privileges.

This allows the attacker to execute arbitrary commands on the victim's system remotely, including running shell commands, reading or writing files, and exfiltrating data, leading to complete system compromise.

Impact Analysis

This vulnerability can lead to a complete compromise of the affected system running ScrapeGraphAI. An attacker can remotely execute arbitrary code with the privileges of the ScrapeGraphAI process.

  • Execution of arbitrary shell commands.
  • Reading, modifying, or deleting files on the system.
  • Exfiltration of sensitive data.
  • Potential full system takeover depending on the environment and privileges.
Detection Guidance

This vulnerability can be detected by monitoring for unexpected execution of Python code or suspicious network activity related to ScrapeGraphAI scraping attacker-controlled URLs.

Since the vulnerability involves execution of LLM-generated Python code with full builtins, detection can focus on identifying unusual Python exec() calls or unexpected subprocess executions.

Suggested commands to detect exploitation attempts include:

  • Using system process monitoring tools (e.g., ps, top) to look for unexpected Python processes.
  • Checking logs for network requests to suspicious or attacker-controlled URLs that ScrapeGraphAI might be scraping.
  • Using command-line tools like `lsof` or `strace` on the ScrapeGraphAI process to detect unexpected file or network activity.
  • Searching for suspicious Python code execution in logs or runtime traces, for example by grepping for exec() calls or subprocess usage.

Example command to check running Python processes: `ps aux | grep python`

Example command to monitor network connections: `netstat -tunap | grep scrapegraph-ai` or `ss -tunap | grep scrapegraph-ai`

Mitigation Strategies

Immediate mitigation steps include:

  • Stop using ScrapeGraphAI versions up to 1.74.0 until a patched version is available.
  • Avoid scraping untrusted or attacker-controlled web pages that could contain malicious prompt injection payloads.
  • If possible, disable or restrict the execution of LLM-generated code or sandbox it properly to prevent access to dangerous Python builtins.
  • Monitor and restrict network access of ScrapeGraphAI to trusted sources only.
  • Implement runtime monitoring to detect and block suspicious Python code execution or subprocess calls.

Since the vendor has not responded and no patch is currently available, these steps are critical to reduce risk of exploitation.

Compliance Impact

This vulnerability allows remote attackers to execute arbitrary code on the victim's system, potentially leading to full system compromise.

Such a compromise could result in unauthorized access, modification, or exfiltration of sensitive data, which may violate data protection regulations such as GDPR and HIPAA.

Organizations using the affected ScrapeGraphAI versions could face compliance risks if the vulnerability is exploited, as it undermines the confidentiality, integrity, and availability of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5532. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart