CVE-2026-41512
Analyzed Analyzed - Analysis Complete

Remote Code Execution in ai-scanner via JavaScript Injection

Vulnerability report for CVE-2026-41512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description

ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-07-09
AI Q&A
2026-05-08
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mozilla 0din_scanner From 1.0.0 (inc) to 1.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41512 is a critical remote code execution vulnerability in the BrowserAutomation::PlaywrightService component of the ai-scanner project, affecting versions 1.0.0 through 1.4.0.

The flaw occurs due to improper handling of user-controlled input, specifically URLs and CSS selectors, which are interpolated into Node.js scripts as Ruby heredoc strings without proper escaping.

Attackers can exploit this by injecting malicious JavaScript code through single quotes in URLs, bypassing validation checks and executing arbitrary commands with the privileges of the Rails application container.

The vulnerability is exploitable via the POST /targets/auto_detect_selectors endpoint, accessible to any authenticated tenant member due to weak authorization controls.

Impact Analysis

Successful exploitation of this vulnerability allows attackers to execute arbitrary code with the application's privileges.

  • Read sensitive environment variables, including secrets like SECRET_KEY_BASE and POSTGRES_PASSWORD.
  • Decrypt tenant data and forge authentication tokens.
  • Access the database and potentially compromise neighboring containers on the Docker network.

Overall, this can lead to full system compromise, data breaches, and unauthorized access to sensitive information.

Detection Guidance

The vulnerability can be detected by monitoring for exploitation attempts targeting the POST /targets/auto_detect_selectors endpoint, which is accessible to authenticated tenant members.

Detection can focus on unusual or malicious JavaScript injection attempts in URLs or CSS selectors submitted to this endpoint, as these inputs are improperly escaped and lead to remote code execution.

Specific commands are not provided in the available resources, but network or application logs should be inspected for suspicious POST requests to /targets/auto_detect_selectors containing single quotes or JavaScript code.

Mitigation Strategies

The immediate mitigation step is to upgrade ai-scanner to version 1.4.1 or later, where this vulnerability has been patched.

Additionally, restrict access to the POST /targets/auto_detect_selectors endpoint to trusted users only, and implement stronger authorization controls to prevent unauthorized exploitation.

Monitoring and logging suspicious activity targeting this endpoint can also help in early detection and response.

Compliance Impact

The vulnerability allows remote code execution through JavaScript injection, enabling attackers to access sensitive environment variables, decrypt tenant data, forge authentication tokens, and access databases. This exposure of sensitive data and unauthorized access could lead to violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Because attackers can compromise tenant data and secrets, organizations using affected versions of ai-scanner may fail to maintain confidentiality, integrity, and availability of protected data, thereby risking non-compliance with these common standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart