Cyber Resilience

CVE-2026-25130

CriticalRCE

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0080 51.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25130 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25130 is an argument injection vulnerability affecting the Cybersecurity AI (CAI) framework, a tool for AI security, in versions up to and including 0.5.10. The issue resides in multiple function tools where user-controlled input is passed directly to shell commands via subprocess.Popen() with shell=True, enabling command injection. Notably, the find_file() tool is classified as a "safe" pre-approved command, allowing it to execute without requiring user approval.

An attacker can exploit this vulnerability remotely over the network with no privileges required, though it demands user interaction and low attack complexity. By injecting malicious arguments, such as -exec, into the args parameter, they achieve remote code execution (RCE) on the host system, fully bypassing human-in-the-loop safety mechanisms. The CVSS v3.1 score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its critical severity, with high impacts on confidentiality, integrity, and availability, and a changed scope.

Mitigation is addressed in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde. Further details, including the full advisory, are available at the GitHub security advisory GHSA-jfpc-wj3m-qw2m.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()`…

more

with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Argument/command injection via unsanitized input to subprocess.Popen(shell=True) in a remotely accessible framework directly enables RCE; maps to exploitation of a network-reachable application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30861Shared CWE-78
CVE-2026-40111Shared CWE-78
CVE-2026-5059Shared CWE-78
CVE-2026-33718Shared CWE-78
CVE-2026-40088Shared CWE-78
CVE-2026-42076Shared CWE-78
CVE-2018-25115Shared CWE-78
CVE-2026-7446Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78

Affected Assets

AI Security. In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-controlled inputs before passing to shell commands via subprocess.Popen(), directly preventing argument injection for RCE.

prevent

Mandates timely identification, reporting, and patching of flaws like the argument injection vulnerability fixed in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde.

prevent

Enforces least privilege to restrict the scope and impact of arbitrary command execution even if argument injection succeeds.

References