CVE-2026-5584
Received Received - Intake
Remote Code Injection in Fosowl agenticSeek PyInterpreter.execute

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability has been found in Fosowl agenticSeek 0.1.0. Impacted is the function PyInterpreter.execute of the file sources/tools/PyInterpreter.py of the component query Endpoint. Such manipulation leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5584
EUVD
EUVD-2026-19113
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fosowl agenticseek 0.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5584 is a critical remote code execution vulnerability in the AgenticSeek project (version 0.1.0). It affects multiple interpreter components that execute large language model (LLM)-generated code without proper sandboxing or restrictions. Specifically, the Python interpreter uses Python's exec() function with full access to system modules, allowing arbitrary code execution. The Bash interpreter executes shell commands unsafely, enabling command injection. Other interpreters compile and run code without isolation, allowing full privilege code execution.

The vulnerability arises because there are no execution timeouts, resource limits, or sandboxing, and the safety mechanisms intended to block dangerous commands are disabled by default and incomplete. Attackers can send unauthenticated HTTP POST requests that trigger execution of arbitrary code on the host system.

Impact Analysis

This vulnerability can lead to complete system compromise by allowing attackers to execute arbitrary commands with the privileges of the running process. It enables theft of sensitive data such as API keys and credentials by reading files like .env and exfiltrating their contents.

  • Arbitrary command execution on the host system.
  • Theft and exfiltration of sensitive data.
  • Lateral movement through reverse shells or SSH connections.
  • Persistence mechanisms such as backdoors, cron jobs, or user creation.
  • Denial of service via resource exhaustion due to lack of execution limits.
  • Supply chain risks from indirect prompt injection triggering code execution.
Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated HTTP POST requests to the /query endpoint that contain JSON payloads triggering LLM-generated code execution.

Detection commands could include inspecting web server logs for suspicious POST requests to /query, especially those containing unusual or potentially malicious code snippets.

Additionally, network monitoring tools can be used to detect unusual outbound connections or command execution patterns indicative of exploitation attempts.

Specific commands might include:

  • Using grep to find suspicious POST requests in logs: grep -i 'POST /query' /var/log/nginx/access.log | grep -i 'exec' or other suspicious keywords
  • Monitoring running processes for unexpected commands or shells spawned by the Fosowl agenticSeek process.
  • Using network monitoring tools like tcpdump or Wireshark to capture and analyze traffic to the /query endpoint.
Mitigation Strategies

Immediate mitigation steps include:

  • Disable or restrict access to the /query endpoint to prevent unauthenticated remote code execution.
  • Enable the safe_mode feature in the software to activate the safety blocklist, although it is incomplete and should not be solely relied upon.
  • Replace the use of exec() with subprocess-based execution that runs code in isolated processes with restricted permissions and empty environments.
  • Avoid using shell=True with untrusted input; instead, use subprocess.run() with argument lists.
  • Implement sandboxing for all code execution using Docker containers with network disabled, read-only filesystems, seccomp profiles, and resource limits.
  • Fix the string concatenation bug in the blocklist and replace the blocklist with an allowlist permitting only known-safe commands.
  • Require explicit user confirmation before executing any generated code.
  • Restrict the globals passed to exec() by removing access to os, sys, and full __builtins__.
Compliance Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on the host system, leading to complete system compromise.

Such a compromise can result in theft of sensitive data including API keys and credentials, data exfiltration by reading any accessible file, and persistence mechanisms that could maintain unauthorized access.

These impacts can lead to violations of data protection regulations and standards such as GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could cause non-compliance with these regulations due to potential data breaches, unauthorized data access, and failure to maintain adequate security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart