CVE-2026-42080
Arbitrary File Write in PPTAgent via save_generated_slides
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PPTAgent, a framework for generating PowerPoint presentations. Before a specific patch (commit 418491a), there was an arbitrary file write vulnerability in the function save_generated_slides. This means an attacker could potentially write files to arbitrary locations on the system.
How can this vulnerability impact me? :
The vulnerability allows an attacker with some privileges to write files arbitrarily on the system, which can lead to limited integrity and availability impacts. According to the CVSS score, the impact on confidentiality is none, but integrity and availability impacts are low.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched via commit 418491a. Immediate mitigation steps include updating PPTAgent to the version that includes this patch.