Cyber Resilience

CVE-2026-42079

High

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0014 4.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42079 is a high-severity Eval Injection (CWE-95) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42079 is an arbitrary code execution vulnerability in PPTAgent, an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, the framework executes LLM-generated code using Python's eval() function with builtins in scope, enabling attackers to run arbitrary Python code. The issue is classified as CWE-95 (Improper Neutralization of Special Elements used in an eval() or Similar Function while Processing User-Controlled Input) and carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

An attacker with local access can exploit this vulnerability with low complexity and no required privileges, but it requires user interaction, such as tricking a user into processing malicious input that influences LLM code generation. Successful exploitation grants arbitrary code execution on the host system, resulting in high impacts to confidentiality, integrity, and availability, along with a scope change that affects the broader system.

The vulnerability has been patched in commit 418491a of the PPTAgent repository. Additional details are available in the GitHub security advisory GHSA-89g2-xw5c-v95p.

This flaw underscores risks in AI/ML agentic workflows where LLM outputs are directly evaluated, as seen in PPTAgent's PowerPoint generation pipeline. No public information on real-world exploitation is available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Arbitrary Python code execution via unsafe eval() of LLM-generated input directly enables T1059.006 (Python interpreter) and is triggered via client-side exploitation requiring user interaction (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48962Shared CWE-95
CVE-2026-44643Shared CWE-95
CVE-2026-35002Shared CWE-95
CVE-2026-31254Shared CWE-95
CVE-2026-5971Shared CWE-95
CVE-2025-0868Shared CWE-95
CVE-2026-4965Shared CWE-95
CVE-2026-28370Shared CWE-95
CVE-2026-0769Shared CWE-95
CVE-2026-44128Shared CWE-95

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and sanitization of LLM-generated code prior to eval() execution to neutralize special elements and prevent arbitrary code execution per CWE-95.

prevent

SI-2 ensures timely identification, reporting, and patching of flaws like the unsafe eval() usage fixed in commit 418491a.

prevent

CM-7 restricts the framework to least functionality by prohibiting or limiting dangerous features like unrestricted eval() with builtins.

References