CVE-2026-6603
Published: 20 April 2026
Summary
CVE-2026-6603 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents code injection by requiring validation of untrusted inputs to execute_python_code and execute_shell_command functions to neutralize special elements per CWE-74.
Mandates identification, reporting, and correction of flaws like CVE-2026-6603, enabling patching or mitigation of the vulnerable functions.
Reduces exploitation risk by restricting or disabling nonessential capabilities such as arbitrary Python code and shell command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated code injection in execute_python_code and execute_shell_command functions directly enables exploitation of public-facing applications (T1190) and arbitrary command execution via Python (T1059.006) and Unix Shell (T1059.004).
NVD Description
A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_python.py. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been…
more
publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-6603 is a code injection vulnerability affecting modelscope agentscope versions up to 1.0.18. The issue resides in the execute_python_code and execute_shell_command functions within the file src/AgentScope/tool/_coding/_python.py. Manipulation of these functions enables arbitrary code injection, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), linked to CWEs-74 (Improper Neutralization of Special Elements) and CWE-94 (Code Injection). The vulnerability was published on 2026-04-20.
The vulnerability is exploitable remotely by unauthenticated attackers with low complexity requirements and no user interaction needed. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to execute arbitrary Python code or shell commands on the affected system.
Advisories from VulDB (e.g., vuln/358238) document the issue but note no vendor response to early disclosure attempts, with no patches or official mitigations available. A proof-of-concept exploit is publicly disclosed via a GitHub Gist, increasing the risk of utilization by threat actors.
The exploit's public availability heightens exploitation potential, particularly in environments deploying agentscope for AI agent workflows, though no confirmed real-world attacks are reported in the provided details.
Details
- CWE(s)